Azure AD Atomic Tests by ATT&CK Tactic & Technique

credential-access

• T1110.001 Brute Force: Password Guessing
  • Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
• T1110.002 Brute Force: Password Cracking CONTRIBUTE A TEST
• T1606.002 Forge Web Credentials: SAML token
  • Atomic Test #1: Golden SAML [azure-ad]
• T1552 Unsecured Credentials CONTRIBUTE A TEST
• T1556.007 Hybrid Identity CONTRIBUTE A TEST
• T1110.003 Brute Force: Password Spraying
  • Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
  • Atomic Test #7: Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) [azure-ad]
• T1649 Steal or Forge Authentication Certificates CONTRIBUTE A TEST
• T1528 Steal Application Access Token CONTRIBUTE A TEST
• T1606 Forge Web Credentials CONTRIBUTE A TEST
• T1621 Multi-Factor Authentication Request Generation CONTRIBUTE A TEST
• T1212 Exploitation for Credential Access CONTRIBUTE A TEST
• T1110 Brute Force CONTRIBUTE A TEST
• T1110.004 Brute Force: Credential Stuffing CONTRIBUTE A TEST
• T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
• T1556.009 Conditional Access Policies CONTRIBUTE A TEST
• T1556 Modify Authentication Process CONTRIBUTE A TEST

impact

• T1498.001 Direct Network Flood CONTRIBUTE A TEST
• T1499.003 Application Exhaustion Flood CONTRIBUTE A TEST
• T1499.004 Application or System Exploitation CONTRIBUTE A TEST
• T1498.002 Reflection Amplification CONTRIBUTE A TEST
• T1499.002 Service Exhaustion Flood CONTRIBUTE A TEST
• T1499 Endpoint Denial of Service CONTRIBUTE A TEST
• T1498 Network Denial of Service CONTRIBUTE A TEST

discovery

• T1069 Permission Groups Discovery CONTRIBUTE A TEST
• T1069.003 Cloud Groups CONTRIBUTE A TEST
• T1087 Account Discovery CONTRIBUTE A TEST
• T1087.004 Cloud Account CONTRIBUTE A TEST
• T1526 Cloud Service Discovery CONTRIBUTE A TEST
• T1538 Cloud Service Dashboard CONTRIBUTE A TEST

defense-evasion

• T1484.002 Domain Trust Modification
  • Atomic Test #1: Add Federation to Azure AD [azure-ad]
• T1556.007 Hybrid Identity CONTRIBUTE A TEST
• T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
• T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
• T1548.005 Temporary Elevated Cloud Access CONTRIBUTE A TEST
• T1078 Valid Accounts CONTRIBUTE A TEST
• T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
• T1562.008 Impair Defenses: Disable Cloud Logs CONTRIBUTE A TEST
• T1556.009 Conditional Access Policies CONTRIBUTE A TEST
• T1484 Domain or Tenant Policy Modification CONTRIBUTE A TEST
• T1550.001 Application Access Token CONTRIBUTE A TEST
• T1078.004 Valid Accounts: Cloud Accounts CONTRIBUTE A TEST
• T1556 Modify Authentication Process CONTRIBUTE A TEST

privilege-escalation

• T1484.002 Domain Trust Modification
  • Atomic Test #1: Add Federation to Azure AD [azure-ad]
• T1098.003 Account Manipulation: Additional Cloud Roles
  • Atomic Test #1: Azure AD - Add Company Administrator Role to a user [azure-ad]
  • Atomic Test #2: Simulate - Post BEC persistence via user password reset followed by user added to company administrator role [azure-ad]
• T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
• T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
• T1548.005 Temporary Elevated Cloud Access CONTRIBUTE A TEST
• T1098.005 Device Registration CONTRIBUTE A TEST
• T1098.001 Account Manipulation: Additional Cloud Credentials
  • Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
  • Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
• T1098 Account Manipulation
  • Atomic Test #4: Azure AD - adding user to Azure AD role [azure-ad]
  • Atomic Test #5: Azure AD - adding service principal to Azure AD role [azure-ad]
  • Atomic Test #8: Azure AD - adding permission to application [azure-ad]
• T1078 Valid Accounts CONTRIBUTE A TEST
• T1484 Domain or Tenant Policy Modification CONTRIBUTE A TEST
• T1078.004 Valid Accounts: Cloud Accounts CONTRIBUTE A TEST

persistence

• T1098.003 Account Manipulation: Additional Cloud Roles
  • Atomic Test #1: Azure AD - Add Company Administrator Role to a user [azure-ad]
  • Atomic Test #2: Simulate - Post BEC persistence via user password reset followed by user added to company administrator role [azure-ad]
• T1556.007 Hybrid Identity CONTRIBUTE A TEST
• T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
• T1098.005 Device Registration CONTRIBUTE A TEST
• T1098.001 Account Manipulation: Additional Cloud Credentials
  • Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
  • Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
• T1136.003 Create Account: Cloud Account
  • Atomic Test #2: Azure AD - Create a new user [azure-ad]
  • Atomic Test #3: Azure AD - Create a new user via Azure CLI [azure-ad]
• T1098 Account Manipulation
  • Atomic Test #4: Azure AD - adding user to Azure AD role [azure-ad]
  • Atomic Test #5: Azure AD - adding service principal to Azure AD role [azure-ad]
  • Atomic Test #8: Azure AD - adding permission to application [azure-ad]
• T1078 Valid Accounts CONTRIBUTE A TEST
• T1556.006 Multi-Factor Authentication CONTRIBUTE A TEST
• T1556.009 Conditional Access Policies CONTRIBUTE A TEST
• T1136 Create Account CONTRIBUTE A TEST
• T1078.004 Valid Accounts: Cloud Accounts CONTRIBUTE A TEST
• T1556 Modify Authentication Process CONTRIBUTE A TEST

execution

• T1059.009 Cloud API CONTRIBUTE A TEST
• T1059 Command and Scripting Interpreter CONTRIBUTE A TEST

initial-access

• T1078.001 Valid Accounts: Default Accounts CONTRIBUTE A TEST
• T1078 Valid Accounts CONTRIBUTE A TEST
• T1078.004 Valid Accounts: Cloud Accounts CONTRIBUTE A TEST

lateral-movement

• T1021.007 Cloud Services CONTRIBUTE A TEST
• T1550.001 Application Access Token CONTRIBUTE A TEST