A collection of ARM-based detections for Azure/AzureAD based TTPs
| ID | Name | Deploy |
|---|---|---|
| AZT201.1 | User Account | |
| AZT201.2 | Service Principal Account | |
| AZT202 | Password Spraying | |
| AZT203 | Malicious Application Consent |
| ID | Name | Requires Azure Monitor Agent? | Deploy |
|---|---|---|---|
| AZT301.1 | Virtual Machine Scripting: RunCommand | N | |
| AZT301.1 | Virtual Machine Scripting: RunCommand with PowerShell Logging | Y | |
| AZT301.2 | Virtual Machine Scripting: CustomScriptExtension | N | |
| AZT301.2 | Virtual Machine Scripting: CustomScriptExtension with PowerShell Logging | Y | |
| AZT301.3 | Virtual Machine Scripting: Desired State Configuration | N | |
| AZT301.3 | Virtual Machine Scripting: Desired State Configuration with PowerShell Logging | Y | |
| AZT301.4 | Virtual Machine Scripting: Compute Gallery Application | N | |
| AZT301.5 | Virtual Machine Scripting: AKS Command Invoke | N | |
| AZT301.6 | Virtual Machine Scripting: Vmss Run Command | N | |
| AZT302.1 | Unmanaged Scripting: Automation Account Hybrid Worker Group | ||
| AZT302.2 | Unmanaged Scripting: Automation Account RunAs Account | ||
| AZT302.3 | Unmanaged Scripting: Automation Account Managed Identity Account |
| ID | Name | Deploy |
|---|---|---|
| AZT402 | Elevated Access Toggle | |
| AZT403.1 | Local Resource Hijack: Cloud Shell .IMG | |
| AZT404.1 | Function Application | |
| AZT405.1 | Azure AD Application: Application Role | |
| AZT405.2 | Azure AD Application: Application API Permissions | |
| AZT405.3 | Azure AD Application: Application Registration Owner |
| ID | Name | Deploy |
|---|---|---|
| AZT501.1 | Account Manipulation: User Account Manipulation | |
| AZT501.2 | Account Manipulation: Service Principal Account | |
| AZT501.3 | Account Manipulation: Azure VM Local Administrator Manipulation | |
| AZT502.1 | Account Creation: User Account Creation | |
| AZT502.2 | Account Creation: Service Principal Creation | |
| AZT502.3 | Account Creation: Guest Account Creation | |
| AZT503.1 | HTTP Trigger: Logic Application HTTP Trigger | |
| AZT503.2 | HTTP Trigger: Function App HTTP Trigger | |
| AZT503.3 | HTTP Trigger: Runbook Webhook | |
| AZT503.4 | HTTP Trigger: WebJob | |
| AZT504 | Watcher Tasks | |
| AZT505 | Scheduled Jobs: Runbook Schedules | |
| AZT506 | Network Security Group Modification | |
| AZT508 | Azure Policy |
| ID | Name | Deploy |
|---|---|---|
| AZT601.1 | Steal Managed Identity JsonWebToken: Virtual Machine IMDS Request | |
| AZT601.2 | Steal Managed Identity JsonWebToken: Azure Kubernetes Service IMDS Request | |
| AZT601.3 | Steal Managed Identity JsonWebToken: Logic Application JWT PUT Request | |
| AZT601.5 | Steal Managed Identity JsonWebToken: Automation Account Runbook | |
| AZT602.1 | Steal Service Principal Certificate: Automation Account RunAs Account | |
| AZT604.1 | Azure Key Vault Dumping: Azure Key Vault Secret Dump | |
| AZT604.2 | Azure Key Vault Dumping: Azure Key Vault Certificate Dump | |
| AZT604.3 | Azure Key Vault Dumping: Azure Key Vault Key Dump | |
| AZT605.1 | Resource Secret Reveal: Storage Account Access Key Dumping | |
| AZT605.2 | Resource Secret Reveal: Automation Account Credential Secret Dump |
| ID | Name | Deploy |
|---|---|---|
| AZT701.1 | SAS URI Generation: VM Disk SAS URI | |
| AZT701.2 | SAS URI Generation: Storage Account File Share SAS | |
| AZT703.1 | Replication: Storage Account Replication | |
| AZT704.1 | Soft-Delete Recovery: Key Vault | |
| AZT704.2 | Soft-Delete Recovery: Key Vault |
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.