A D E F E N D E R ’ S C H E AT S H E E T

MITRE ATT&CK
in Azure
 A helpful way to map MITRE ATT&CK tactics to Azure actions

Bottom line:
This guide contains a breakdown of the tactics we see attackers use most often during attacks in Azure.

To give you a jump start on investigations in your own Azure environment, we’ve mapped the Azure services in
which these tactics often originate (thanks, crafty attackers) along with the actions they make to execute on these
Chasing down Microsoft Defender techniques.

alerts and combing through Azure As a bonus, we’re throwing in some of our own tips and tricks that you can use when investigating an incident in
Azure that’s related to any of these attack tactics.
Monitor activity logs can be tough if
you don’t know what to look for (or
even if you do). How to use this mind map
This mind map (or cheat sheet) is intended to be a resource to help answer investigative questions during Azure

Knowing which actions are alert triage, investigations, and incident response. You can use it to quickly identify potential attacks in Azure and
map them to MITRE ATT&CK tactics.
associated with different attack
Depending on which phase of an attack you’re investigating, you can also use it to identify other potential attack
tactics isn’t intuitive—which is paths and MITRE ATT&CK tactics the attacker might have used. This’ll help you see the bigger picture and identify
why we created this handy cheat risky activity and behaviors that could indicate you’re compromised and require remediation.

sheet to help you while you’re For example, if you see suspected credential access, you can investigate to check how that principal authenticated
investigating incidents in Azure. to Azure, if they’ve been granted any sensitive roles, or if there are any other suspicious actions that could
represent attacker activity. Some other tactics that an attacker could have executed prior to credential access are
discovery, persistence, and privilege escalation.

A defender’s cheat sheet: MITRE ATT&CK in Azure 2

M I T R E AT T& C K TAC T I C S

Azure mind map for investigations and incidents

CIRCLE MITRE ATT&CK tactics OVAL IAM resources
RECTANGLE Azure services OUTLINED RECTANGLE Actions
Microsoft.directory/users/enable
User
Microsoft.directory/users/password/update

SignInLogs
Group Microsoft.directory/groups/members/update
Azure Portal login events
AADServicePrincipalSignInLogs
AuditLogs where ActivityDisplayName == “Consent to application” Console / API Cloud IAM
Microsoft.directory/servicePrincipals/enable
Service account Microsoft.directory/servicePrincipals/credentials/update
Microsoft.directory/servicePrincipals/owners/update
Microsoft.KeyVault/vaults/secrets/getSecret/action
Microsoft.KeyVault/vaults/secrets/restore/action
Microsoft.KeyVault/vaults/secrets/recover/action Microsoft.Authorization/roleAssignments/write
Microsoft.KeyVault/vaults/certificates/read
Role
RoleManagement.ReadWrite.Directory
Microsoft.KeyVault/vaults/certificates/restore/action
Microsoft.KeyVault/vaults/keys/read Key vault

Privilege Microsoft.Compute/virtualMachines/runCommand/action
escalation Cloud workflows Microsoft.Compute/virtualMachines/write (CustomScript)
Microsoft.Storage/storageAccounts/ listkeys/action (Function apps, logic apps, webjobs)
Storage accounts Microsoft.Automation/automationAccounts/runbooks/write
Microsoft.Storage/storageAccounts/regeneratekey/action Initial Execution
access

Microsoft.Automation/automationAccounts/runbooks/* Automation account Microsoft.Sql/servers/databases/transparentDataEncryption/write

Microsoft.Sql/managedInstances/databases/transparentDataEncryption/write
Azure storage
Credential GetBlob: where auth_type == “anonymous”
Microsoft.Resources/deployments/read Resource group access Admin Activity Collection Microsoft.Compute/disks/BeginGetAccess/actionsetIamPolicy
Audit Logs

Microsoft.Authorization/roleAssignments/write Microsoft.KeyVault/vaults/*/restore
Key vault
Microsoft.Authorization/policyDefinitions/write Microsoft.KeyVault/locations/deletedVaults/read
IAM Lateral
Microsoft.Automation/automationAccounts/runbooks/* movement Exfiltration

Microsoft.Compute/disks/beginGetAccess/action
Microsoft.web/sites/functions/write Virtual machine
Cloud workflows Microsoft.Compute/snapshots/beginGetAccess/action
Microsoft.Logic/workflows/write Persistence Impact
(Function apps, logic apps, webjobs)
Microsoft.Automation/automationAccounts/runbooks/*
Microsoft.Storage/storageAccounts/listAccountSas/action
Storage accounts Microsoft.Storage/storageAccounts/objectReplicationPolicies/write
Microsoft.Storage/storageAccounts/blobServices/containers/write
Microsoft.directory/users/enable
Microsoft.directory/servicePrincipals/credentials/update Cloud IAM Azure Services
Microsoft.Web/sites/Write
Recovery services vault Microsoft.RecoveryServices/Vaults/backupconfig/write

Microsoft.Automation/automationAccounts/jobs/write Automation accounts Microsoft.Security/securitySolutions/delete

Microsoft.Authorization/policyAssignments/delete
Microsoft.Storage/storageAccounts/delete SQL database Microsoft.Sql/servers/databases/export/action

A DEFENDER’S CHEAT SHEET: MITRE ATT&CK in Azure 3

 A closer look at
tactics, techniques
and actions To help you get a better sense
of how we think about our
investigations in Azure, let’s
take a closer look at the tactics,
techniques and associated
actions attackers might perform.

A DEFENDER’S CHEAT SHEET: MITRE ATT&CK in Azure 4

M I T R E AT T& C K TAC T I C :

Initial access
ƒ Why attackers do it: To gain an initial foothold into the target
environment.

ƒ How attackers execute it: Attackers may use Azure portal or Azure CLI
using stolen credentials from a user account or service principle. Compromised
web apps, malicious application consent grants, and pivoting from a Business
Email Compromise (BEC) are all examples of how an attacker might get an
initial foothold.

ƒ Look for the following operations:

SignInLogs
Azure Portal login events
AADServicePrincipalSignInLogs SignInLogs
AuditLogs where ActivityDisplayName == “Consent to application” Azure Portal login events
Console / API
AADServicePrincipalSignInLogs

ƒ Investigation tips and tricks: Review the source of authentication,

Initial AuditLogs where ActivityDisplayName == “Consent to application”

user-agent strings, and credentials used to access the Azure environment.

access
Investigate the authenticating user’s normal location. Check for any
geo-impossible authentications, suspicious IP addresses, or anomalous
authentication behavior.

A DEFENDER’S CHEAT SHEET: MITRE ATT&CK in Azure 5

M I T R E AT T& C K TAC T I C :

Execution
ƒ Why attackers do it: To run malicious code or tooling in the target
account.

ƒ How attackers execute it: Attackers often abuse existing tooling in the
Azure environment to execute malicious code, such as Automation Accounts,
and Virtual Machine (VM) scripts.

ƒ Look in the following operations:

Microsoft.Compute/virtualMachines/runCommand/action
Microsoft.Compute/virtualMachines/write (CustomScript)
Microsoft.Automation/automationAccounts/runbooks/write

ƒ Investigation tips and tricks: Look out for execution of the operations Microsoft.Compute/virtualMachines/runCommand/action
above en masse, from anomalous identities, or targeting sensitive resources. Cloud workflows Microsoft.Compute/virtualMachines/write (CustomScript)
Attackers may use the RunCommand feature on Azure virtual machines to (Function apps, logic apps, WebJobs)
Microsoft.Automation/automationAccounts/runbooks/write
execute PowerShell in a highly privileged context. Or, they may use a custom Execution
script extension to execute PowerShell on the target machine. The bottom
line is that attackers can abuse existing tools in the environment to help them
deliver malicious commands.

A DEFENDER’S CHEAT SHEET: MITRE ATT&CK in Azure 6

M I T R E AT T& C K TAC T I C :

Persistence
ƒ Why attackers do it: To maintain access to the target environment across
any interruptions.

ƒ How attackers execute it: Attackers in an Azure environment may

establish persistence through various techniques. Some of these include the
alteration or creation of Entra (formerly Azure Active Directory) accounts and
service principals, exploiting Azure-native automation features like Automation
Accounts, Logic Apps, and Functions, and tweaking network configurations
Microsoft.web/sites/functions/write
such as Network Security Group (NSG) rules and VPN settings. Cloud workflows Microsoft.Logic/workflows/write
(Function apps, logic apps, WebJobs)
Microsoft.Automation/automationAccounts/runbooks/*
ƒ Look for the following operations:
Microsoft.web/sites/functions/write
Microsoft.Logic/workflows/write
Microsoft.directory/users/enable
Microsoft.Automation/automationAccounts/runbooks/*
Microsoft.directory/users/enable
Cloud IAM Microsoft.directory/servicePrincipals/credentials/update
Microsoft.Web/sites/Write
Microsoft.directory/servicePrincipals/credentials/update Persistence
Microsoft.Web/sites/Write
Microsoft.Automation/automationAccounts/jobs/write

Automation account Microsoft.Automation/automationAccounts/jobs/write

ƒ Investigation tips and tricks: Look out for suspicious IAM changes
or new identities which may provide an attacker extended access into the
environment. For example, Azure Automation Runbooks may be used to trigger
persisted access into the account in the case of an interruption by creating a
privileged identity. While investigating, Azure Activity Logs can help identify
anomalies such as unexpected role changes, new user or service principal
creation, and unusual resource deployments.

A DEFENDER’S CHEAT SHEET: MITRE ATT&CK in Azure 7

M I T R E AT T& C K TAC T I C :

Privilege escalation
ƒ Why attackers do it: To gain higher-level permissions within the target
environment to reach their objective(s). Elevated permissions are typically required
to establish persistence, access credentials, and exfiltrate sensitive data.

ƒ How attackers execute it: Attackers may escalate their privileges within
Microsoft Entra ID or Azure Resources. Microsoft Entra ID allows administrator or Microsoft.directory/users/enable
User
non-administrator to manage Entra resources, such as users, groups, and roles, by Microsoft.directory/users/password/update
enabling them or modifying and updating their configurations. Attackers can also
abuse services such as automation accounts or logic applications that have resources
with a service principal. Abusing assigned permissions of service principals or users,
attackers can leverage those permissions to further their access.
Group Microsoft.directory/groups/members/update
ƒ Look for the following operations:
Microsoft.directory/users/enable
Cloud IAM
Microsoft.directory/users/password/update
Privilege
Microsoft.directory/groups/members/update
Microsoft.directory/servicePrincipals/enable
escalation Microsoft.directory/servicePrincipals/enable
Service account Microsoft.directory/servicePrincipals/credentials/update
Microsoft.directory/servicePrincipals/credentials/update Microsoft.directory/servicePrincipals/owners/update
Microsoft.directory/servicePrincipals/owners/update
Microsoft.Authorization/roleAssignments/write
RoleManagement.ReadWrite.Directory

Microsoft.Authorization/roleAssignments/write
Investigation tips and tricks: Be on the lookout for any sudden or Role
ƒ RoleManagement.ReadWrite.Directory
unexpected alterations in Entra (formerly Azure Active Directory) groups, users,
or service principals. Such changes might indicate attackers attempting to exploit
elevated permissions. Additionally, it’s essential to monitor for newly introduced or
modified custom roles in Azure Role-Based Access Control (RBAC). Adversaries could
manipulate these roles to discreetly acquire specific privileges. Another area of focus
should be the sudden creation or adjustment of Managed Identities, which attackers
might harness to access other Azure resources. Lastly, any unusual deployments or
changes in Azure Automation & Logic Apps should raise red flags. Malicious actors
could exploit these to automate privilege escalation activities or to take advantage of
existing permissions.

A DEFENDER’S CHEAT SHEET: MITRE ATT&CK in Azure 8

M I T R E AT T& C K TAC T I C :

Credential access
ƒ Why attackers do it: To access and acquire credentials in the Azure
environment. Stolen credentials may allow attackers to gain access to different
Azure resources, settings, and permissions.
Microsoft.KeyVault/vaults/secrets/getSecret/action
ƒ How attackers execute it: Azure KeyVault dumping is the most likely Microsoft.KeyVault/vaults/secrets/restore/action
target, where attackers can attempt to steal certificates, keys, and secrets. Microsoft.KeyVault/vaults/secrets/recover/action
Key vault
Additionally, there are several means to acquire Service Principal or Managed Microsoft.KeyVault/vaults/certificates/read
Identity authentication details depending on the service. Services that can be Microsoft.KeyVault/vaults/certificates/restore/action
used for credential access include Resource Groups, Automation Accounts, Microsoft.KeyVault/vaults/keys/read
Storage Accounts, Logic or Function Apps.
Microsoft.Storage/storageAccounts/ listkeys/action
ƒ Look for the following operations: Storage accounts
Microsoft.Storage/storageAccounts/regeneratekey/action
Microsoft.KeyVault/vaults/secrets/getSecret/action
Microsoft.KeyVault/vaults/secrets/restore/action
Microsoft.KeyVault/vaults/secrets/recover/action
Microsoft.KeyVault/vaults/certificates/read
Credential
Microsoft.KeyVault/vaults/certificates/restore/action access Automation account Microsoft.Automation/automationAccounts/runbooks/*
Microsoft.KeyVault/vaults/keys/read
Microsoft.Storage/storageAccounts/listkeys/action
Microsoft.Storage/storageAccounts/regeneratekey/action
Microsoft.Automation/automationAccounts/runbooks/*
Microsoft.Resources/deployments/read
Resource group Microsoft.Resources/deployments/read

ƒ Investigation tips and tricks: Review the caller who performed this
operation and the details of the request to compare with past activity to see
if this behavior is abnormal. An attacker will likely have performed a series
of other events, most of which will have failed, prior to attempting to acquire
credentials for more access.

A DEFENDER’S CHEAT SHEET: MITRE ATT&CK in Azure 9

M I T R E AT T& C K TAC T I C :

Collection
ƒ Why attackers do it: To collect information or resources that are of
interest.

ƒ How attackers execute it: Azure services used to decrypt specified

resources, such as disabling transparent data encryption (TDE) or disabling VM
disk encryption.

ƒ Look in the following operations:

Microsoft.Sql/servers/databases/transparentDataEncryption/write,
Microsoft.Sql/managedInstances/databases/transparentDataEncryption/write,
GetBlob: where auth_type == “anonymous”
Microsoft.Compute/disks/BeginGetAccess/actionsetIamPolicy
Microsoft.Sql/servers/databases/transparentDataEncryption/write
ƒ Investigation tips and tricks: Take note of the source IP, user agent, Azure storage
Microsoft.Sql/managedInstances/databases/transparentDataEncryption/write
and role in which the user is operating. Check if it’s normal for this user’s job GetBlob: where auth_type == “anonymous”
function to be performing these activities. Review other activities performed Collection Microsoft.Compute/disks/BeginGetAccess/actionsetIamPolicy
during the user’s session. If no explanation is found, walk the user’s session
back to the authentication event for their session and collect any additional
indicators that could pertain to initial access.

A DEFENDER’S CHEAT SHEET: MITRE ATT&CK in Azure 10

M I T R E AT T& C K TAC T I C :

Exfiltration
ƒ Why attackers do it: To move sensitive information and data from the
Azure environment to attacker-controlled infrastructure.

ƒ How attackers execute it: Typically attackers perform exfiltration by

moving data out of the environment in a format that is unlikely to be detected
Microsoft.KeyVault/vaults/*/restore
by defenders. In Azure, attackers can access and download data by generating
Key vault Microsoft.KeyVault/locations/deletedVaults/read
SAS URIs, recovering data in a ‘soft delete’ state, or replicating to an external
account using a policy.

ƒ Look for the following operations: Microsoft.Compute/disks/beginGetAccess/action

Virtual machine Microsoft.Compute/snapshots/beginGetAccess/action
Microsoft.KeyVault/vaults/*/restore
Microsoft.KeyVault/locations/deletedVaults/read
Microsoft.Compute/disks/beginGetAccess/action
Microsoft.Storage/storageAccounts/listAccountSas/action
Microsoft.Compute/snapshots/beginGetAccess/action
Microsoft.Storage/storageAccounts/listAccountSas/action
Storage account Microsoft.Storage/storageAccounts/objectReplicationPolicies/write
Microsoft.Storage/storageAccounts/blobServices/containers/write
Microsoft.Storage/storageAccounts/fileServices/shares/write Exfiltration
Microsoft.Storage/storageAccounts/objectReplicationPolicies/write
Microsoft.Storage/storageAccounts/blobServices/containers/write
Microsoft.RecoveryServices/Vaults/backupconfig/write Recovery services vault Microsoft.RecoveryServices/Vaults/backupconfig/write
Microsoft.Sql/servers/databases/export/action

ƒ Investigation tips and tricks: Look out for abnormal requests to

recovery services, replication policies, databases, and VMs that would allow
SQL database Microsoft.Sql/servers/databases/export/action
the attacker to copy, move, or expose the resources to the public, especially
if there isn’t a known business need. If you spot suspected exfiltration,
investigate the caller’s previous API calls, source and method of authentication,
user-agent string, and activities performed in the caller’s session to see if this is
in line with normal behavior.

Certain events are specific to Azure Storage analytics logs, such as

“RestoreContainer” and “SetContainerACL,” which can be used to retrieve
deleted contents or allow change container permissions to allow anonymous
access, respectively.

A DEFENDER’S CHEAT SHEET: MITRE ATT&CK in Azure 11

M I T R E AT T& C K TAC T I C :

Lateral movement
ƒ Why attackers do it: To pivot from one place to another in the victim’s
environment.

ƒ How attackers execute it: Abusing IAM pathways via role assumptions,
service permissions, security groups, and various weak points in Azure’s
identity ecosystem.

ƒ Look in the following operations:

Microsoft.Authorization/roleAssignments/write
Microsoft.Authorization/policyDefinitions/write
Microsoft.Automation/automationAccounts/runbooks/*

ƒ Investigation tips and tricks: The user’s intended job function is an Microsoft.Authorization/roleAssignments/write
important consideration when investigating events related to IAM manipulation.
IAM Microsoft.Authorization/policyDefinitions/write
Investigate the authentication context in which the user is operating. Check for Lateral Microsoft.Automation/automationAccounts/runbooks/*
any suspicious indicators involved with the IP, user agent, or role. Make sure movement
that any roles being used are expected to be performing the activity at hand,
and that the user involved is meant to be assuming the given role. Review any
other IAM changes performed by the user around the time of the event.

A DEFENDER’S CHEAT SHEET: MITRE ATT&CK in Azure 12

M I T R E AT T& C K TAC T I C :

Impact
ƒ Why attackers do it: To disrupt or destroy resources in an Azure
environment

ƒ How attackers execute it: Attackers may execute malicious commands

via the Azure CLI, console, or services within an Azure environment like Azure
Run Commands or Custom Script Extensions on targeted VMs.

ƒ Look for the following operations:

Microsoft.Security/securitySolutions/delete
Microsoft.Authorization/policyAssignments/delete
Microsoft.Storage/storageAccounts/delete
Microsoft.RecoveryServices/Vaults/delete

Microsoft.Security/securitySolutions/delete
ƒ Investigation tips and tricks: Investigate the source identity for Azure services Microsoft.Authorization/policyAssignments/delete
performance of any sort deletion of security controls or sensitive resources. Microsoft.Storage/storageAccounts/delete
Along with deletion, look out for changes to policies and configurations that Impact
would affect backup and recovery services. Ensure the entity performing
the action is expected, and review their session for any signs of anomalous
authentication. These operations may be performed late in the attacker’s
access to the environment, so any suspicious activities observed may require
investigation into activities performed earlier in the attack lifecycle.

A DEFENDER’S CHEAT SHEET: MITRE ATT&CK in Azure 13

M I T R E AT T& C K TAC T I C S

Create your own Azure mind map

Privilege
escalation
Initial Execution
access

Credential
Collection
access Admin Activity
Audit Logs

Lateral
movement Exfiltration

Persistence Impact

A DEFENDER’S CHEAT SHEET: MITRE ATT&CK in Azure 14

 Expel helps companies of all shapes and sizes minimize business risk. Our technology and people work together to make sense
of security signals—with your business in mind—to detect, understand, and fix issues fast. Powered by our security operations platform,
Expel offers managed detection and response (MDR), remediation, phishing, vulnerability prioritization, and threat hunting.
For more information, visit our website, check out our blog, or follow us on LinkedIn or X.

© 2024 Expel, Inc. 15