MITRE Map
The catalog as an ATT&CK matrix: one column per tactic, one cell per technique, with the events that produce evidence for it. Click a technique ID for its context page, an event for its detail page, or filter the matrix by provider.
Provider
T1059 Command and Scripting Interpreter
CreateStack Invoke Microsoft.Automation/automationAccounts/jobs/write Microsoft.Automation/automationAccounts/runbooks/write Microsoft.Automation/automationAccounts/webhooks/action Microsoft.Compute/virtualMachines/extensions/write Microsoft.Compute/virtualMachines/runCommand/action Microsoft.Compute/virtualMachines/write (CustomScriptExtension) Microsoft.ContainerService/managedClusters/runCommand/action ModifyInstanceAttribute ResumeSession SendCommand StartBuild StartSession UpdateFunctionCode20150331v2 UpdateFunctionConfiguration20150331v2
T1072 Software Deployment Tools
T1651 Cloud Administration Command
T1098 Account Manipulation
Add App Role Assignment To Service Principal Add Application Add Eligible Member To Role In Pim Completed Add Member To Role Add Owner To Application Add Role Definition Add Service Principal Add User add-iam-policy-binding AddPermission20150331v2 AddUserToGroup Admin Registered Security Info AttachGroupPolicy AttachRolePolicy AttachUserPolicy ChangePassword compute.disks.setIamPolicy Consent To Application CreateAccessEntry CreateLoginProfile CreatePolicy CreateRole CreateRole CreateUser CreateVirtualMFADevice DeleteVirtualMFADevice EnableServiceAccount google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy iam.roles.update Microsoft.Authorization/roleAssignments/write Microsoft.Directory/groups/members/update Microsoft.ManagedIdentity/userAssignedIdentities/assign/action PutGroupPolicy PutRolePolicy PutUserPolicy Reset User Password Update Role Definition Update User Authentication Methods UpdateAccessKey UpdateAssumeRolePolicy UpdateLoginProfile
T1136.003 Cloud Account
T1098.004 SSH Authorized Keys
T1546 Event Triggered Execution
T1098.001 Additional Cloud Credentials
T1556 Modify Authentication Process
T1525 Implant Internal Image
T1556.006 Multi-Factor Authentication
T1053 Scheduled Task/Job
T1098 Account Manipulation
Add App Role Assignment To Service Principal Add Application Add Eligible Member To Role In Pim Completed Add Member To Role Add Owner To Application Add Owner To Group Add Role Definition Add Service Principal add-iam-policy-binding AddUserToGroup AssociateIamInstanceProfile AttachGroupPolicy AttachRolePolicy AttachUserPolicy compute.disks.setIamPolicy compute.instances.setServiceAccount Consent To Application CreateAccessEntry CreateDevEndpoint CreateLoginProfile CreatePolicy CreatePolicyVersion CreateRole CreateRole CreateServiceLinkedRole EnableServiceAccount google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy iam.roles.update Microsoft.Authorization/roleAssignments/write Microsoft.Directory/groups/members/update Microsoft.ManagedIdentity/userAssignedIdentities/assign/action PutGroupPolicy PutKeyPolicy PutRolePolicy PutUserPolicy SetDefaultPolicyVersion Update Role Definition UpdateAssumeRolePolicy UpdateDevEndpoint
T1548 Abuse Elevation Control Mechanism
add-iam-policy-binding AddRoleToInstanceProfile DeleteRolePermissionsBoundary DeleteRolePolicy DeleteUserPermissionsBoundary DeleteUserPolicy DetachRolePolicy DetachUserPolicy google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy iam.serviceAccountKeys.implicitDelegation iam.serviceAccounts.actAs Microsoft.ManagedIdentity/userAssignedIdentities/assign/action PassRole ReplaceIamInstanceProfileAssociation UpdateAssumeRolePolicy
T1078.004 Cloud Accounts
AddRoleToInstanceProfile AssumeRole AssumeRoleWithSAML AssumeRoleWithWebIdentity generateAccessToken GetFederationToken GetSessionToken iam.serviceAccountKeys.implicitDelegation iam.serviceAccounts.actAs iam.serviceAccounts.signJwt Microsoft.Authorization/elevateAccess/action PassRole ReplaceIamInstanceProfileAssociation
T1484.002 Trust Modification
T1098.001 Additional Cloud Credentials
T1078.004 Cloud Accounts
AddRoleToInstanceProfile AssumeRole AssumeRoleWithSAML AssumeRoleWithWebIdentity ConsoleLogin generateAccessToken GetFederationToken GetSessionToken iam.serviceAccountKeys.implicitDelegation iam.serviceAccounts.actAs iam.serviceAccounts.signJwt Microsoft.Authorization/elevateAccess/action PassRole PasswordRecoveryRequested ReplaceIamInstanceProfileAssociation
T1070 Indicator Removal
T1535 Unused/Unsupported Cloud Regions
T1685 Disable or Modify Tools
ArchiveFindings CreateFilter CreateIPSet DeleteAccessKey DeleteAlarms DeleteBucket DeleteBucketPolicy DeleteConfigRule DeleteConfigurationRecorder DeleteDeliveryChannel DeleteDetector DeleteLoginProfile DeleteMembers DeleteRolePermissionsBoundary DeleteRolePolicy DeleteRuleGroup DeleteUser DeleteUserPermissionsBoundary DeleteUserPolicy DeleteWebACL DetachRolePolicy DetachUserPolicy DisassociateFromMasterAccount DisassociateMembers google.cloud.securitycenter.v1.SecurityCenter.SetMute LeaveOrganization Microsoft.Authorization/locks/delete Microsoft.Compute/virtualMachines/delete Microsoft.EventHub/namespaces/eventhubs/delete Microsoft.HybridCompute/machines/extensions/delete Microsoft.Insights/activityLogAlerts/delete Microsoft.Insights/metricAlerts/delete Microsoft.KeyVault/vaults/delete Microsoft.KeyVault/vaults/secrets/delete Microsoft.RecoveryServices/vaults/backupProtectedItems/delete Microsoft.Security/alertsSuppressionRules/write Microsoft.Security/autoProvisioningSettings/write Microsoft.Security/pricings/write Microsoft.Security/securitySolutions/delete Microsoft.Storage/storageAccounts/delete ModifyImageAttribute ModifyInstanceAttribute PutBucketAcl PutBucketLifecycle PutBucketLifecycleConfiguration PutBucketPolicy PutBucketPublicAccessBlock PutRolePermissionsBoundary PutUserPermissionsBoundary RemoveAccountFromOrganization ScheduleKeyDeletion secretmanager.secrets.delete SecretManagerService.DestroySecretVersion Securitycenter.settings.update StopConfigurationRecorder StopMonitoringMembers storage.buckets.delete storage.setIamPermissions TerminateInstances Update Conditional Access Policy Update named location UpdateDetector UpdateFindingsFeedback UpdateIPSet VaultPatch
T1685.002 Disable or Modify Cloud Log
DeleteEventDataStore DeleteFlowLogs DeleteLogGroup DeleteLogStream DeleteTrail google.logging.v2.ConfigServiceV2.UpdateExclusion google.logging.v2.LoggingServiceV2.DeleteLog logging.projects.exclusions.create logging.sinks.delete logging.sinks.update Microsoft.Insights/diagnosticSettings/delete Microsoft.Network/networkWatchers/flowLogs/delete Microsoft.OperationalInsights/workspaces/delete Microsoft.Storage/storageAccounts/stopLogging/action PutEventSelectors StopLogging UpdateTrail
T1686.001 Cloud Firewall
AuthorizeDBSecurityGroupIngress AuthorizeSecurityGroupEgress AuthorizeSecurityGroupIngress compute.firewalls.delete compute.firewalls.patch CreateNetworkAclEntry DeleteNetworkAcl DeleteNetworkAclEntry Microsoft.Network/networkSecurityGroups/delete Microsoft.Network/networkSecurityGroups/securityRules/write
T1556 Modify Authentication Process
T1556.006 Multi-Factor Authentication
T1578 Modify Cloud Compute Infrastructure
T1599 Network Boundary Bridging
T1552 Unsecured Credentials
GetAuthorizationToken GetParameters GetPasswordData GetSecretValue Microsoft.AppConfiguration/configurationStores/listKeys/action Microsoft.Automation/automationAccounts/credentials/read Microsoft.Batch/batchAccounts/listKeys/action Microsoft.ContainerRegistry/registries/listCredentials/action Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Microsoft.KeyVault/vaults/certificates/read Microsoft.KeyVault/vaults/keys/read Microsoft.KeyVault/vaults/secrets/read Microsoft.OperationalInsights/workspaces/sharedKeys/action Microsoft.ServiceBus/namespaces/authorizationRules/listKeys/action Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Web/sites/host/listKeys/action SecretManagerService.AccessSecretVersion
T1528 Steal Application Access Token
T1555 Credentials from Password Stores
T1526 Cloud Service Discovery
GetParameters GetSecretValue Microsoft.AppConfiguration/configurationStores/listKeys/action Microsoft.Automation/automationAccounts/credentials/read Microsoft.Batch/batchAccounts/listKeys/action Microsoft.ContainerRegistry/registries/listCredentials/action Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Microsoft.KeyVault/vaults/certificates/read Microsoft.KeyVault/vaults/keys/read Microsoft.KeyVault/vaults/secrets/read Microsoft.OperationalInsights/workspaces/sharedKeys/action Microsoft.ServiceBus/namespaces/authorizationRules/listKeys/action Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Web/sites/host/listKeys/action SecretManagerService.AccessSecretVersion
T1530 Data from Cloud Storage
bigquery.jobs.insert cloudsql.instances.export CopyBlob CopyObject CreateDBSnapshot CreateImage CreateInstanceExportTask CreateSnapshot DeleteBucketPolicy GetObject Microsoft.Compute/disks/beginGetAccess/action Microsoft.Compute/snapshots/beginGetAccess/action Microsoft.Sql/servers/databases/export/action ModifyDBInstance ModifyDBSnapshotAttribute ModifySnapshotAttribute PutBucketAcl PutBucketPolicy RestoreDBInstanceFromDBSnapshot SharedSnapshotCopyInitiated SharedSnapshotVolumeCreated StartExportTask storage.setIamPermissions
no technique mapping
T1537 Transfer Data to Cloud Account
bigquery.jobs.insert cloudsql.instances.export CopyBlob CopyObject CreateDBSnapshot CreateImage CreateInstanceExportTask CreateSnapshot GetObject Microsoft.Compute/disks/beginGetAccess/action Microsoft.Compute/snapshots/beginGetAccess/action Microsoft.Sql/servers/databases/export/action ModifyDBSnapshotAttribute ModifyImageAttribute ModifySnapshotAttribute PutBucketAcl PutBucketPolicy PutBucketReplication SharedSnapshotCopyInitiated SharedSnapshotVolumeCreated StartExportTask
T1048 Exfiltration Over Alternative Protocol
no technique mapping
T1485 Data Destruction
DeleteBucket DeleteDBCluster DeleteDBInstance DeleteFileSystem DeleteGlobalCluster DeleteObject DeleteObjects DeleteSnapshot DeleteVolume Microsoft.Compute/virtualMachines/delete Microsoft.EventHub/namespaces/eventhubs/delete Microsoft.KeyVault/vaults/delete Microsoft.KeyVault/vaults/secrets/delete Microsoft.OperationalInsights/workspaces/delete Microsoft.RecoveryServices/vaults/backupProtectedItems/delete Microsoft.Sql/servers/databases/delete Microsoft.Storage/storageAccounts/blobServices/containers/delete Microsoft.Storage/storageAccounts/delete PutBucketLifecycle PutBucketLifecycleConfiguration ScheduleKeyDeletion secretmanager.secrets.delete SecretManagerService.DestroySecretVersion storage.buckets.delete storage.objects.delete TerminateInstances
T1531 Account Access Removal
T1489 Service Stop