Skip to content

Persistence#

The adversary is trying to persist in the Azure tenant or subscription. Persistence consists of techniques that adversaries use to modify existing resources, or modify and manipulate accounts in order to access Azure Active Directory.

ID Name Description
AZT501 Account Manipulation An adverary may manipulate an account to maintain access in an Azure tenant
AZT501.1 User Account Manipulation An adverary may manipulate a user account to maintain access in an Azure tenant
AZT501.2 Service Principal Manipulation An adverary may manipulate a service principal to maintain access in an Azure tenant
AZT501.3 Azure VM Local Administrator Manipulation An adverary may manipulate the local admin account on an Azure VM
AZT502 Account Creation An adversary may create an account in Azure Active Directory.
AZT502.1 User Account Creation An adversary may create a user account in Azure Active Directory.
AZT502.2 Service Principal Creation An adversary may create an application & service principal in Azure Active Directory
AZT502.3 Guest Account Creation An adversary may create a guest account in Azure Active Directory
AZT503 HTTP Trigger Adversaries may configure a resource with an HTTP trigger to run commands without needing authentication.
AZT503.1 Logic Application HTTP Trigger Adversaries may configure a Logic Application with an HTTP trigger to run commands without needing authentication.
AZT503.2 Function App HTTP Trigger Adversaries may configure a Function App with an HTTP trigger to run commands without needing authentication.
AZT503.3 Runbook Webhook Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.
AZT503.4 WebJob Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule
AZT504 Watcher Tasks By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event.
AZT505 Scheduled Jobs By configurating an Azure resource that supports scheduled execution, an adversary can execute an operation at a defined interval.
AZT505.1 Runbook Schedules Adversaries may create a schedule for a Runbook to run at a defined interval.
AZT506 Network Security Group Modification Adversaries can modify the rules in a Network Security Group to establish access over additional ports.
AZT507 External Entity Access Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users.
AZT507.1 Azure Lighthouse Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant.
AZT507.2 Microsoft Partners Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant.
AZT507.3 Subscription Hijack An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant.
AZT507.4 Domain Trust Modification An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant.
AZT508 Azure Policy By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.