Privilige Escalation#
The adversary is trying to escalate their privileges within Azure Resources or Azure Active Directory.
| ID | Name | Description | |
|---|---|---|---|
| AZT401 | Privileged Identity Management Role | An adversary may escalate their privileges if their current account has access to Privileged Identity Management (PIM) | |
| AZT402 | Elevated Access Toggle | An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator | |
| AZT403 | Local Resource Hijack | An adversary may escalate their privileges by tampering with a local file generated by a resource | |
| .001 | Cloud Shell .IMG | By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges | |
| AZT404 | Principal Impersonation | Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources. | |
| .001 | Function Application | By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource. | |
| .002 | Logic Application | By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource. | |
| .003 | Automation Account | By utilizing a Automation Account configured with a managed identity or RunAs account, an attacker can execute Azure operations on a given resource. | |
| .004 | App Service | By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource. | |
| AZT405 | Azure AD Application | Adversaries may abuse the assigned permissions on an Azure AD Application to escalate their privileges. | |
| .001 | Application API Permissions | By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role. | |
| .002 | Application Role | By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role. | |
| .003 | Application Registration Owner | By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal. |