AZT404 - Principal Impersonation#
Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources.
ID | Name | Description | Action | Resources |
---|---|---|---|---|
AZT404.1 | Function Application | By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource. | Microsoft.Web/sites/hostruntime/vfs/run.csx/write | Function App |
Microsoft.Web/sites/functions/write | ||||
Microsoft.Web/sites/write | ||||
AZT404.2 | Logic Application | By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource. | Microsoft.Logic/workflows/write | Logic Application |
Microsoft.Logic/workflows/run/action | ||||
Microsoft.Logic/operations/read | ||||
AZT404.3 | Automation Account | By utilizing a Automation Account configured with a managed identity or RunAs account, an attacker can execute Azure operations on a given resource. | Microsoft.Automation/automationAccounts/runbooks/* | Automation Account |
AZT404.4 | App Service | By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource. | Microsoft.Web/sites/write | App Service |