Skip to content

A collection of ARM-based detections for Azure/AzureAD based TTPs

License

Notifications You must be signed in to change notification settings

Neo314dw/AzDetectSuite

 
 

Repository files navigation

AzDetectSuite

A collection of ARM-based detections for Azure/AzureAD based TTPs

Initial Access

ID Name Deploy
AZT201.1 User Account Deploy to Azure
AZT201.2 Service Principal Account Deploy to Azure
AZT202 Password Spraying Deploy to Azure
AZT203 Malicious Application Consent Deploy to Azure

Execution

ID Name Requires Azure Monitor Agent? Deploy
AZT301.1 Virtual Machine Scripting: RunCommand N Deploy to Azure
AZT301.1 Virtual Machine Scripting: RunCommand with PowerShell Logging Y Deploy to Azure
AZT301.2 Virtual Machine Scripting: CustomScriptExtension N Deploy to Azure
AZT301.2 Virtual Machine Scripting: CustomScriptExtension with PowerShell Logging Y Deploy to Azure
AZT301.3 Virtual Machine Scripting: Desired State Configuration N Deploy to Azure
AZT301.3 Virtual Machine Scripting: Desired State Configuration with PowerShell Logging Y Deploy to Azure
AZT301.4 Virtual Machine Scripting: Compute Gallery Application N Deploy to Azure
AZT301.5 Virtual Machine Scripting: AKS Command Invoke N Deploy to Azure
AZT301.6 Virtual Machine Scripting: Vmss Run Command N Deploy to Azure
AZT302.1 Unmanaged Scripting: Automation Account Hybrid Worker Group Deploy to Azure
AZT302.2 Unmanaged Scripting: Automation Account RunAs Account Deploy to Azure
AZT302.3 Unmanaged Scripting: Automation Account Managed Identity Account Deploy to Azure

Privilege Escalation

ID Name Deploy
AZT402 Elevated Access Toggle Deploy to Azure
AZT403.1 Local Resource Hijack: Cloud Shell .IMG Deploy to Azure
AZT404.1 Function Application Deploy to Azure
AZT405.1 Azure AD Application: Application Role Deploy to Azure
AZT405.2 Azure AD Application: Application API Permissions Deploy to Azure
AZT405.3 Azure AD Application: Application Registration Owner Deploy to Azure

Persistence

ID Name Deploy
AZT501.1 Account Manipulation: User Account Manipulation Deploy to Azure
AZT501.2 Account Manipulation: Service Principal Account Deploy to Azure
AZT501.3 Account Manipulation: Azure VM Local Administrator Manipulation Deploy to Azure
AZT502.1 Account Creation: User Account Creation Deploy to Azure
AZT502.2 Account Creation: Service Principal Creation Deploy to Azure
AZT502.3 Account Creation: Guest Account Creation Deploy to Azure
AZT503.1 HTTP Trigger: Logic Application HTTP Trigger Deploy to Azure
AZT503.2 HTTP Trigger: Function App HTTP Trigger Deploy to Azure
AZT503.3 HTTP Trigger: Runbook Webhook Deploy to Azure
AZT503.4 HTTP Trigger: WebJob Deploy to Azure
AZT504 Watcher Tasks Deploy to Azure
AZT505 Scheduled Jobs: Runbook Schedules Deploy to Azure
AZT506 Network Security Group Modification Deploy to Azure
AZT508 Azure Policy Deploy to Azure

Credential Access

ID Name Deploy
AZT601.1 Steal Managed Identity JsonWebToken: Virtual Machine IMDS Request Deploy to Azure
AZT601.2 Steal Managed Identity JsonWebToken: Azure Kubernetes Service IMDS Request Deploy to Azure
AZT601.3 Steal Managed Identity JsonWebToken: Logic Application JWT PUT Request Deploy to Azure
AZT601.5 Steal Managed Identity JsonWebToken: Automation Account Runbook Deploy to Azure
AZT602.1 Steal Service Principal Certificate: Automation Account RunAs Account Deploy to Azure
AZT604.1 Azure Key Vault Dumping: Azure Key Vault Secret Dump Deploy to Azure
AZT604.2 Azure Key Vault Dumping: Azure Key Vault Certificate Dump Deploy to Azure
AZT604.3 Azure Key Vault Dumping: Azure Key Vault Key Dump Deploy to Azure
AZT605.1 Resource Secret Reveal: Storage Account Access Key Dumping Deploy to Azure
AZT605.2 Resource Secret Reveal: Automation Account Credential Secret Dump Deploy to Azure

Exfiltration

ID Name Deploy
AZT701.1 SAS URI Generation: VM Disk SAS URI Deploy to Azure
AZT701.2 SAS URI Generation: Storage Account File Share SAS Deploy to Azure
AZT703.1 Replication: Storage Account Replication Deploy to Azure
AZT704.1 Soft-Delete Recovery: Key Vault Deploy to Azure
AZT704.2 Soft-Delete Recovery: Key Vault Deploy to Azure

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

About

A collection of ARM-based detections for Azure/AzureAD based TTPs

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 100.0%