Azure

ATT&CK Navigator View

Table View

Created

Action

Description

Author

2021-09-13

Add-CKMemberToGroup

A threat actor might want to add a member to a Microsoft 365 group or a security group through the members navigation property.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-09-08

Get-CKOauth2PermissionGrants

A threat actor might want to retrieve a list of oAuth2PermissionGrant objects, representing delegated permissions which have been granted for client applications to access APIs on behalf of signed-in users…

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-22

Get-CKAzADGroups

A threat actor might want to list all the groups in an organization, including but not limited to Microsoft 365 groups.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-22

Get-CKAzADDirectoryRoles

A threat actor might want to list the directory roles that are activated in the tenant. This operation only returns roles that have been activated. A role becomes activated when an admin activates the role using the Activate directoryRole API. Not all built-in roles are initially activated.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Get-CKMailboxMessages

A threat actor might want to read messages from the mailbox of a specific user.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Get-CKMyMailboxMessages

A threat actor might want to read messages from the signed-in account. Usually during impersonation.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Get-CKAzADApplication

A threat actor might want to get metadata from Azure AD Applications.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Get-CKAzADServicePrincipal

A threat actor might want to get metadata from Azure AD service principals.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Get-CKAzADUsers

A threat actor might want to list all users in Azure AD

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Add-CKAzADAppPassword

A threat actor might want to add a password to an Azure AD application for persistence purposes.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Add-CKAzADSPPassword

A threat actor might want to add a password to a service principal for persistence purposes.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Add-CKDomainToTenant

A threat actor might want to add a new domain to the tenant.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Add-CKOwnerToAzADApp

A threat actor might want to add an owner to an Azure AD application.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Add-CKOwnerToAzADSP

A threat actor might want to add an owner to a service principal.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Grant-CKPermissions

A threat actor might want to grant permissions (Delegated or Application) to an Azure AD application (Service Principal).

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

New-CKAzADApplication

A threat actor might want to register a new Azure AD application for persistence purposes.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

New-CKAzADServicePrincipal

A threat actor might want to create a service principal for an existing Azure AD application.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Update-CKAzADAppReqRscAccess

A threat actor might want to update the required resource access property of an Azure AD application. The requiredResourceAccess property of an application specifies resources that the application requires access to and the set of OAuth permission scopes (delegated) and application roles (application) that it needs under each of those resources. This pre-configuration of required resource access drives the consent experience. This does not grant permissions consent.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D