Skip to content

AzureLogo
#

Reconnaissance

Initial Access

Execution

Privilege Escalation

Persistence

Credential Access

Exfiltration

Port Mapping Valid Credentials Virtual Machine Scripting Privileged Identity Management Role Account Manipulation Steal Managed Identity JsonWebToken SAS URI Generation
IP Discovery Password Spraying Unmanaged Scripting Elevated Access Toggle Account Creation Steal Service Principal Certificate File Share Mounting
Public Accessible Resource Managed Device Scripting Local Resource Hijack HTTP Trigger Service Principal Secret Reveal Replication
Gather User Information Principal Impersonation Watcher Tasks Azure KeyVault Dumping
Gather Application Information Azure AD Application Scheduled Jobs Resource Secret Reveal
Gather Role Information Network Security Group Modification
Gather Resource Data External Entity Access
Gather Victim Data
How to Use

The top row designates the tactic being used and the rows below it are the specific techniques pertaining to that tactic. Clicking on a specific tactic will list the techniques specific to it. Clicking on a specific technique will bring you to the page on that technique and the details around it.

You can also utilize the search bar at the top to recursively search for specific text. For example, to search for what techniques a certain action or permission has, just enter the action in the search bar and it will show all relevant techniques.
example

When viewing the page of a technique, specific examples of how to abuse the technique with different methods are shown. By clicking on the given command, it will bring you to the documentation around it.

cliexample

Disclaimer

The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.

Feedback

With the intent of ATRM being a collaborative effort with the community, feedback is greatly appreciated. Is there a new or missing technique? Is the formatting off-putting? Please let me know @haus3c.

Acknowledgements#