Azure Threat Research Matrix
Initializing search
Azure Threat Research Matrix
Home
Tactics
Tactics
Reconnaissance
Reconnaissance
Reconnaissance
Techniques
Techniques
AZT101 - Port Mapping
AZT102 - IP Discovery
AZT103 - Public Accessible Resource
AZT104 - Gather User Information
AZT105 - Gather Application Information
AZT106 - Gather Role Information
AZT106.1 - Gather AAD Role Information
AZT106.2 - Gather Application Role Information
AZT106.3 - Gather Azure Resources Role Assignments
AZT107 - Gather Resource Data
AZT108 - Gather Victim Data
Initial Access
Initial Access
Initial Access
Techniques
Techniques
AZT201 - Valid Credentials
AZT201.1 - User Account
AZT201.2 - Service Principal
AZT202 - Password Spraying
AZT203 - Malicious Application Consent
Execution
Execution
Execution
Techniques
Techniques
AZT301 - Virtual Machine Scripting
AZT301.1 - RunCommand
AZT301.2 - CustomScriptExtension
AZT301.3 - Desired State Configuration
AZT301.4 - Compute Gallery Application
AZT301.5 - AKS Command Invoke
AZT301.6 - Vmss Run Command
AZT301.7 - Serial Console
AZT302 - Serverless Scripting
AZT302.1 - Automation Account Runbook Hybrid Worker Group
AZT302.2 - Automation Account Runbook RunAs Account
AZT302.3 - Automation Account Runbook Managed Identity
AZT302.4 - Function Application
AZT303 - Managed Device Scripting
Privilege Escalation
Privilege Escalation
Privilege Escalation
Techniques
Techniques
AZT201 - Valid Credentials
AZT401 - Privileged Identity Management Role
AZT402 - Elevated Access Toggle
AZT403 - Local Resource Hijack
AZT404 - Principal Impersonation
AZT404.1 - Function Application
AZT404.2 - Logic Application
AZT404.3 - Automation Account
AZT404.4 - App Service
AZT405 - Azure AD Application
AZT405.1 - Application API Permissions
AZT405.2 - Application Role
AZT405.3 - Application Registration Owner
Persistence
Persistence
Persistence
Techniques
Techniques
AZT201 - Valid Credentials
AZT501 - Account Manipulation
AZT501.1 - User Account Manipulation
AZT501.2 - Service Principal Manipulation
AZT501.3 - Azure VM Local Administrator Manipulation
AZT502 - Account Creation
AZT502.1 - User Account Creation
AZT502.2 - Service Principal Creation
AZT502.3 - Guest Account Creation
AZT503 - HTTP Trigger
AZT503.1 - Logic Application HTTP Trigger
AZT503.2 - Function App HTTP Trigger
AZT503.3 - Runbook Webhook
AZT503.4 - WebJob
AZT504 - Watcher Tasks
AZT505 - Scheduled Jobs
AZT506 - Network Security Group Modification
AZT507 - External Entity Access
AZT507.1 - Azure Lighthouse
AZT507.2 - Microsoft Partners
AZT507.3 - Subscription Hijack
AZT507.4 - Domain Trust Modification
AZT508 - Azure Policy
Credential Access
Credential Access
Credential Access
Techniques
Techniques
AZT601 - Steal Managed Identity JsonWebToken
AZT601.1 - Virtual Machine IMDS Request
AZT601.2 - Azure Kubernetes Service IMDS Request
AZT601.3 - Logic Application JWT PUT Request
AZT601.4 - Function Application JWT GET Request
AZT601.5 - Automation Account Runbook
AZT602 - Steal Service Principal Certificate
AZT603 - Service Principal Secret Reveal
AZT604 - Azure KeyVault Dumping
AZT604.1 - Azure KeyVault Secret Dump
AZT604.2 - Azure KeyVault Certificate Dump
AZT604.3 - Azure KeyVault Key Dump
AZT605 - Resource Secret Reveal
AZT605.1 - Storage Account Access Key Dumping
AZT605.2 - Automation Account Credential Secret Dump
AZT605.3 - Resource Group Deployment History Secret Dump
Impact
Impact
Impact
Techniques
Techniques
AZT701 - SAS URI Generation
AZT701.1 - VM Disk SAS URI
AZT701.2 - Storage Account File Share SAS
AZT702 - File Share Mounting
AZT703 - Replication
AZT704 - Soft-Delete Recovery
AZT704.1 - Key Vault
AZT704.2 - Storage Account Object
AZT704.3 - Recovery Services Vault
AZT705 - Azure Backup Delete
Acknowledgments
About
404 - Not found