Skip to content



Initial Access


Privilege Escalation


Credential Access


Port Mapping Valid Credentials Virtual Machine Scripting Privileged Identity Management Role Account Manipulation Steal Managed Identity JsonWebToken SAS URI Generation
IP Discovery Password Spraying Unmanaged Scripting Elevated Access Toggle Account Creation Steal Service Principal Certificate File Share Mounting
Public Accessible Resource Malicious Application Consent Managed Device Scripting Local Resource Hijack HTTP Trigger Service Principal Secret Reveal Replication
Gather User Information Principal Impersonation Watcher Tasks Azure KeyVault Dumping Soft-Delete Recovery
Gather Application Information Azure AD Application Scheduled Jobs Resource Secret Reveal Azure Backup Delete
Gather Role Information Network Security Group Modification
Gather Resource Data External Entity Access
Gather Victim Data Azure Policy
How to Use

The top row designates the tactic being used and the rows below it are the specific techniques pertaining to that tactic. Clicking on a specific tactic will list the techniques specific to it. Clicking on a specific technique will bring you to the page on that technique and the details around it.

You can also utilize the search bar at the top to recursively search for specific text. For example, to search for what techniques a certain action or permission has, just enter the action in the search bar and it will show all relevant techniques.

When viewing the page of a technique, specific examples of how to abuse the technique with different methods are shown. By clicking on the given command, it will bring you to the documentation around it.



The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.

New Technique Proposal

Have an idea for a new technique? Fill out the form here and we will contact you within 48 hours on further steps.


With the intent of ATRM being a collaborative effort with the community, feedback is greatly appreciated. Is there a new or missing technique? Is the formatting off-putting? Please let me know @haus3c.