It’s typical for the assessment team to cite the MITRE ATT&CK knowledge base when conducting an offensive security assessment so that high-level stakeholders can see visually which techniques were effective and administrators and defenders can comprehend the techniques used in order to correct or defend against them in the future. But there is no official documentation of Azure or AzureAD-related tactics, techniques, or procedures (TTPs) that assessment teams can refer to in the widely used MITRE knowledge base. The Azure Threat Research Matrix (ATRM), a matrix that provides information about the tactics & techniques a potential adversary may use to compromise an Azure Resource or Azure Active Directory, was developed over the course of the previous year by Microsoft in collaboration with some of the top Azure security researchers.
A knowledge base called the Azure Threat Research Matrix (ATRM) was created to list known TTPs used by Azure and Azure AD. The ATRM has two objectives:
to provide security experts with a simple-to-view framework so they can more clearly visualize TTPs within Azure & Azure AD.
to inform professionals of the potential configuration risks associated with Azure & Azure AD when best practices are not followed.
Focus & Intention
The Azure Resource TTPs and Azure AD are the main topics of the ATRM. It is occasionally necessary to include techniques or technique details that also apply to other products because AzureAD is used by products like M365. For instance, the document AZT303 – Managed Device Scripting describes how to use AzureAD’s integrated InTune service to run scripts on devices.
In addition, some AzureAD techniques (particularly those related to hybrid-joined devices) are left out because they are already covered by MITRE ATT&CK. The purpose of the ATRM is to serve as a substitute for pure Azure Resource & AzureAD TTPs rather than to replace MITRE ATT&CK. However, we would like community opinion on this choice!
The ATRM also aims to inform readers about the potential of Azure-based strategies, tactics, and practices (TTPs). The addition of commands related to a technique is done so that defenders can create alerts for those commands. Although the commands are also listed to demonstrate how to misuse a particular technique, some information is left out or obscured to prevent malicious misuse.
a tour of the ATRM Structure
It is crucial to first comprehend the structure and contents of the matrix in order for security professionals to use ATRM to understand potential risks.
The tactic is indicated in the top row, with each successive ID beginning with Reconnaissance at “AZT1”.
Figure 1 shows the tactics in the top line and the techniques related to the tactics in the columns.
When you click on a particular tactic, a list of related techniques and sub-techniques with a brief description will appear.
Figure 2: A portion of the execution tactic page.
You can access the page for that technique or sub-technique by clicking on the specific ID linked to it.
Figure 3: The page for AZT301.6 – Virtual Machine Scripting: Vmss Run Command, a sub-technique.
The technique/sub-technique specific pages contain information on a number of important subjects.
Resource: The source(s) that the technique affects
Actions: What steps must be taken to use the technique as a resource provider.
Commands to use the technique include, for example, using the portal
Any possible discoveries
Further Resources
The Azure Threat Research Matrix is designed to be product-agnostic, so certain detection queries are by default for Azure technologies rather than requiring a separate, extra-charged solution.
Community Contribution
The TTPs in the matrix as it is today was assembled over the course of several months in collaboration with some of the top researchers in the Azure security community.
Their contributions, which are listed in the list of acknowledgments here, have been very beneficial. Being as thorough as possible is one of the ATRM’s intended goals. It’s challenging for one person to be familiar with every potential TTP within Azure and Azure’s AD given the hundreds of services and offerings within Azure. The security of our products is greatly influenced by the community, even though Microsoft has internal research teams with the specific responsibility of examining potential abuse scenarios in Azure & Azure AD. In light of this, we cordially invite feedback on the ATRM from the larger security community, including suggestions for new techniques or the addition of new data. The MIT license is used for the Azure Threat Research Matrix, which is hosted on GitHub and is open to pull requests and issues.