Skip to content

Privilige Escalation#

The adversary is trying to escalate their privileges within Azure Resources or Azure Active Directory.

ID Name Description
AZT401 Privileged Identity Management Role An adversary may escalate their privileges if their current account has access to Privileged Identity Management (PIM)
AZT402 Elevated Access Toggle An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator
AZT403 Local Resource Hijack An adversary may escalate their privileges by tampering with a local file generated by a resource
.001 Cloud Shell .IMG By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges
AZT404 Principal Impersonation Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources.
.001 Function Application By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
.002 Logic Application By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
.003 Automation Account By utilizing a Automation Account configured with a managed identity or RunAs account, an attacker can execute Azure operations on a given resource.
.004 App Service By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
AZT405 Azure AD Application Adversaries may abuse the assigned permissions on an Azure AD Application to escalate their privileges.
.001 Application API Permissions By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role.
.002 Application Role By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.
.003 Application Registration Owner By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.