Azure Add App Role Assignment To Service Principal
Grants an application role to a service principal, allowing it to act with that role's permissions within the application.
Persistence
Persistence
Section titled “Persistence”The adversary is trying to maintain their foothold.
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
In cloud environments, adversaries persist by creating new IAM users or roles, attaching policies that grant backdoor access, deploying long-lived API keys, or modifying identity federation settings. They may also create resources like Lambda functions or scheduled tasks that maintain their access even if initial credentials are revoked.
View Persistence on MITRE ATT&CK →Events Related to Persistence
Section titled “Events Related to Persistence”Azure Add Application
Creates and registers a new application in Microsoft Entra ID, establishing an identity that can authenticate and request access tokens.
Azure Add Eligible Member To Role In Pim Completed
Adds a user as an eligible member for a privileged role in Azure PIM, allowing them to activate the role on demand.
Azure Add Federated Identity Credential
Adds a federated identity credential to an application, enabling secretless persistent access via workload identity federation.
Azure Add Member To Role
Directly assigns a user or service principal to an Entra ID directory role, granting that role's permissions.
Azure Add Owner To Application
Adds an owner to an Entra ID application registration, granting them management rights over the application.
Azure Add Role Definition
Creates a new custom Azure RBAC role definition with specified allowed and denied actions.
Azure Add Service Principal
Creates a service principal in Entra ID, representing the identity instance of an application within a tenant.
Azure Add User
Creates a new user account in Microsoft Entra ID.
Azure Add Verified Domain
Adds a custom domain to a Microsoft Entra ID tenant and initiates the domain verification process.
GCP add-iam-policy-binding
Adds an IAM policy binding to a GCP resource, granting a member (user, group, or service account) a specified role.
AWS AddPermission20150331v2
Adds a permission to a Lambda function's resource-based policy, allowing specified principals to invoke the function.
AWS AddRoleToInstanceProfile
Adds an IAM role to an EC2 instance profile, enabling EC2 instances to assume that role and access AWS services.
AWS AddUserToGroup
Adds an IAM user to a specified group, granting the user all permissions attached to that group.
Azure Admin Registered Security Info
Records an administrator registering authentication methods (e.g., MFA) on behalf of another user in Entra ID.
AWS AttachGroupPolicy
Attaches a managed IAM policy to a group, granting all group members the permissions defined in that policy.
AWS AttachRolePolicy
Attaches a managed IAM policy to an IAM role, granting the role the permissions defined in that policy.
AWS AttachUserPolicy
Attaches a managed IAM policy directly to an IAM user, granting them the permissions defined in that policy.
AWS ChangePassword
Allows an IAM user to change their own AWS Management Console login password.
GCP compute.disks.setIamPolicy
Sets the IAM policy on a Compute Engine persistent disk, controlling which principals have access to it.
GCP Compute.instances.setMetadata
Sets or updates instance-level metadata on a Compute Engine VM, which can include SSH keys or startup scripts.
GCP compute.projects.setCommonInstanceMetadata
Sets project-wide Compute Engine metadata, applied to all instances and commonly used to manage SSH keys.
Azure Consent To Application
Records an admin or user granting an Entra ID application permission to access resources via an OAuth 2.0 consent grant.
AWS CreateAccessEntry
Creates an access entry for an EKS cluster, granting an IAM principal Kubernetes API access via EKS access management.
AWS CreateAccessKey
Creates a new long-term access key for an IAM user, enabling programmatic access to AWS services.
AWS CreateAccount
Creates a new AWS account as a member of an AWS Organization under the management account.
AWS CreateAssociation
Creates an SSM State Manager association, binding a document to instances for persistent or scheduled command execution.
AWS CreateKeyPair
Creates an EC2 key pair and returns the private key material, used for SSH authentication to EC2 instances.
AWS CreateLoginProfile
Creates a password for an IAM user, enabling them to sign into the AWS Management Console.
AWS CreateOpenIDConnectProvider
Registers an OIDC identity provider with IAM, enabling federated access from external identity systems like GitHub Actions.
AWS CreatePolicy
Creates a new managed IAM policy that can be attached to users, groups, or roles to define permissions.
AWS CreateRole
Creates a new IAM role with a trust policy that defines which principals are permitted to assume it.
GCP CreateRole
Creates a custom IAM role in GCP with a specified set of granular permissions.
AWS CreateSAMLProvider
Registers a SAML 2.0 identity provider metadata document with IAM, enabling federated authentication via SAML.
AWS CreateStack
Creates a CloudFormation stack by provisioning AWS resources defined in a specified template.
AWS CreateUser
Creates a new IAM user in the AWS account for programmatic or console-based access.
AWS CreateVirtualMFADevice
Creates a virtual MFA device that can be associated with an IAM user for multi-factor authentication.
AWS DeleteVirtualMFADevice
Deletes a virtual MFA device, weakening account security by removing multi-factor authentication.
Azure Disable Strong Authentication
Disables multi-factor authentication for a user account, weakening authentication security.
AWS EnableRegion
Enables a previously disabled AWS region for the account, making its services available for use.
GCP EnableServiceAccount
Re-enables a previously disabled GCP service account, restoring its ability to authenticate and make API calls.
GCP google.iam.admin.v1.CreateServiceAccountKey
Creates a new key for a GCP service account, producing a JSON credentials file for programmatic authentication. This is the admin activity audit log format; see also iam.serviceAccountKeys.create for the data access format.
GCP google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy
Replaces the complete IAM policy for a GCP resource, controlling access for all principals.
GCP google.iam.admin.v1.UploadServiceAccountKey
Uploads an external key to a service account, enabling persistent access that survives credential rotation.
GCP iam.roles.update
Updates an existing custom IAM role, modifying its set of permitted permissions.
GCP iam.serviceAccountKeys.create
Creates a new key for a GCP service account, generating credentials for external services to authenticate as the account. This is the data access audit log format; see also google.iam.admin.v1.CreateServiceAccountKey for the admin activity format.
AWS ImportKeyPair
Imports an existing RSA or ED25519 public key into EC2 for use as a key pair when launching instances.
Azure Invite External User
Sends a B2B guest invitation to an external user, granting them access to the tenant's resources.
Azure Microsoft.Authorization/roleAssignments/write
Creates or updates an Azure RBAC role assignment, granting a principal specific permissions on a resource or scope.
Azure Microsoft.Automation/automationAccounts/jobs/write
Creates or starts a runbook job in an Azure Automation account.
Azure Microsoft.Automation/automationAccounts/runbooks/write
Creates or updates a runbook in an Azure Automation account.
Azure Microsoft.Automation/automationAccounts/webhooks/write
Creates or updates a webhook that can trigger an Azure Automation runbook remotely.
Azure Microsoft.Compute/sshPublicKeys/write
Creates or updates an SSH public key resource in Azure, used to authenticate to Linux virtual machines.
Azure Microsoft.Compute/virtualMachines/extensions/write
Installs or updates a VM extension on an Azure virtual machine, which can run scripts or install software agents.
Azure Microsoft.Compute/virtualMachines/write (CustomScriptExtension)
Creates or updates an Azure VM with a Custom Script Extension, executing a script on the VM at provisioning time.
Azure Microsoft.Directory/groups/members/update
Adds or removes members from an Entra ID security group or Microsoft 365 group.
Azure Microsoft.Directory/servicePrincipals/credentials/update
Adds or updates credentials (client secrets or certificates) for an Entra ID service principal.
Azure Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Assigns a user-assigned managed identity to an Azure resource, enabling it to authenticate to other Azure services.
AWS PassRole
Allows a principal to pass an IAM role to an AWS service, granting the service permission to assume that role on their behalf.
AWS PutGroupPolicy
Creates or updates an inline policy embedded directly in an IAM group.
AWS PutImage
Pushes a container image to ECR, potentially introducing backdoored images into the deployment pipeline.
AWS PutRolePolicy
Creates or updates an inline policy embedded directly in an IAM role.
AWS PutRule
Creates an EventBridge rule that triggers on specific events, used for persistent execution of Lambda or other targets.
AWS PutTargets
Adds or updates targets for an EventBridge rule, defining which resources are invoked when the rule matches an event.
AWS PutUserPolicy
Creates or updates an inline policy embedded directly in an IAM user.
AWS ReplaceIamInstanceProfileAssociation
Replaces the IAM instance profile associated with a running EC2 instance with a different one.
Azure Reset User Password
Resets an Entra ID user's password through an administrative action.
AWS SendSSHPublicKey
Pushes a temporary SSH public key to an EC2 instance via EC2 Instance Connect, valid for 60 seconds.
GCP storage.hmacKeys.create
Creates HMAC keys for S3-compatible access to Cloud Storage, providing a persistent access mechanism often missed by defenders.
Azure Update Role Definition
Modifies an existing custom Azure RBAC role definition, updating its allowed or denied actions.
Azure Update User Authentication Methods
Changes the MFA or passwordless authentication methods registered for a user in Microsoft Entra ID.
AWS UpdateAccessKey
Changes the status of an IAM user's access key between Active and Inactive.
AWS UpdateAssumeRolePolicy
Updates the trust policy of an IAM role, changing which principals are permitted to assume it.
AWS UpdateFunctionCode20150331v2
Updates the code of an existing Lambda function with a new deployment package or container image URI.
AWS UpdateFunctionConfiguration20150331v2
Updates Lambda function configuration including environment variables, IAM role, or layers — used to inject credentials or swap execution context.
AWS UpdateLoginProfile
Updates the console login password for an IAM user.
GCP users.importSshPublicKey
Imports an SSH public key into a user's GCP OS Login profile, enabling SSH access to Compute Engine instances.
GCP users.sshPublicKeys.patch
Updates an existing SSH public key in a user's GCP OS Login profile.