Azure

ATT&CK Navigator View

Table View

Created

Action

Description

Author

2021-08-05

Get My Mailbox Messages

A threat actor could get messages from the mailbox of the current user session via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Get User Mailbox Messages

A threat actor could get messages from the mailbox of a specific user via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Get Azure AD Application Metadata

A threat actor might want to get metadata from Azure AD Applications via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-22

Get Azure AD Directory Roles

A threat actor might want to list the directory roles that are activated in the tenant via Microsoft Graph APIs and the right permissions. This operation only returns roles that have been activated. A role becomes activated when an admin activates the role using the Activate directoryRole API. Not all built-in roles are initially activated.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-22

Get Azure AD Groups

A threat actor might want to list all the groups in an organization, including but not limited to Microsoft 365 groups via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-09-30

Get Azure AD Owners of an Azure AD Group or Directory Role

A threat actor might want to list members of an Azure AD group or directory role via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-09-08

Get Azure AD OAuth Permission Grants

A threat actor might want to retrieve a list of oAuth2PermissionGrant objects, representing delegated permissions which have been granted for client applications to access APIs on behalf of signed-in users via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-09-30

Get Owners of an Azure AD Application or Service Principal

A threat actor might want to list owners of an Azure AD application or service principal via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-09-30

Get Azure AD Resources and Graph Them

A threat actor might want to collect information from Azure AD such as users, applications, service principals, groups and directory roles via Microsoft Graph APIs and analyze it all in a graph way.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Get Azure AD Service Principal Metadata

A threat actor might want to get metadata from Azure AD service principals via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Get Azure AD Users

A threat actor might want to list all users in Azure AD via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Add New Owner to Azure AD Application

A threat actor might want to add an owner to an Azure AD application via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Add Password to Azure AD Application

A threat actor might want to add a password to an Azure AD application for persistence purposes via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-10-16

Add New Member to Azure AD Directory Role

A threat actor might want to add a new member to a directory role (e.g. Domain Administrator) via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-09-13

Add New member to Azure AD Group

A threat actor might want to add a member to a Microsoft 365 group or a security group through the members navigation property via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Add New Owner to Azure AD Service Principal

A threat actor might want to add an owner to a service principal via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Add Password to Azure AD Service Principal

A threat actor might want to add a password to a service principal for persistence purposes via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Add New Domain to Azure AD Tenant

A threat actor might want to add a new domain to the tenant via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Grant Permission to Azure AD Application

A threat actor might want to grant permissions (Delegated or Application) to an Azure AD application (Service Principal) via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Create New Azure AD Application

A threat actor might want to register a new Azure AD application for persistence purposes via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Create New Azure AD Service Principal for Application

A threat actor might want to create a service principal for an existing Azure AD application via Microsoft Graph APIs and the right permissions.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D

2021-08-05

Update Azure AD Application Required Resource Access

A threat actor might want to update the required resource access property of an Azure AD application via Microsoft Graph APIs and the right permissions. The requiredResourceAccess property of an application specifies resources that the application requires access to and the set of OAuth permission scopes (delegated) and application roles (application) that it needs under each of those resources. This pre-configuration of required resource access drives the consent experience. This does not grant permissions consent.

Roberto Rodriguez @Cyb3rWard0g, MSTIC R&D