-
Notifications
You must be signed in to change notification settings - Fork 259
/
Copy pathtmss.json
630 lines (630 loc) · 30.8 KB
/
tmss.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
{
"authors": [
"Evgeny Bogokovsky",
"Microsoft",
"Ram Pliskin"
],
"category": "tmss",
"description": "Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers.",
"name": "Threat Matrix for storage services",
"source": "/~https://github.com/microsoft/Threat-matrix-for-storage-services",
"type": "tmss",
"uuid": "aaf033a6-7f1e-45ab-beef-20a52b75b641",
"values": [
{
"description": "Attackers may execute active reconnaissance scans to gather storage account names that becomes a potential target. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.",
"meta": {
"external_id": "MS-T801",
"kill_chain": [
"TMSS-tactics:Reconnaissance"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/storage-account-discovery"
]
},
"related": [
{
"dest-uuid": "67073dde-d720-45ae-83da-b12d5e73ca3b",
"type": "related-to"
}
],
"uuid": "106eb589-71e3-58a1-a37e-916cdc902414",
"value": "MS-T801 - Storage account discovery"
},
{
"description": "Attackers may use search engines to collect information about victim storage accounts that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords such as storage accounts domain names (site:*.blob.core.windows.net)",
"meta": {
"external_id": "MS-T804",
"kill_chain": [
"TMSS-tactics:Reconnaissance"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/search-engines"
]
},
"uuid": "044be881-7476-5fbe-a760-bdf9cf949cab",
"value": "MS-T804 - Search engines"
},
{
"description": "Attackers may search public databases for publicly available storage accounts that can be used during targeting.",
"meta": {
"external_id": "MS-T803",
"kill_chain": [
"TMSS-tactics:Reconnaissance"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/databases-of-public-accounts"
]
},
"related": [
{
"dest-uuid": "55fc4df0-b42c-479a-b860-7a6761bcaad0",
"type": "related-to"
}
],
"uuid": "ef3d435e-8ca6-5864-a882-e7b092870719",
"value": "MS-T803 - Databases of publicly available storage accounts"
},
{
"description": "Attackers may search for DNS data for valid storage account names that can become potential targets. Threat actors can query nameservers using brute-force technique to enumerate existing storage accounts in the wild, or search through centralized repositories of logged DNS query responses (known as passive DNS).",
"meta": {
"external_id": "MS-T826",
"kill_chain": [
"TMSS-tactics:Reconnaissance"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/dns-passive-dns"
]
},
"uuid": "e5b2e210-fedb-5651-bb82-484e9f0dfde8",
"value": "MS-T826 - DNS/Passive DNS"
},
{
"description": "Attackers may look for storage accounts of a victim enterprise by searching its websites. Victim-owned website pages may be stored on a storage account or contain links to retrieve data stored in a storage account. The links contain the URL of the storage and provide an entry point into the account.",
"meta": {
"external_id": "MS-T805",
"kill_chain": [
"TMSS-tactics:Reconnaissance"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/victim-owned-websites"
]
},
"related": [
{
"dest-uuid": "16cdd21f-da65-4e4f-bc04-dd7d198c7b26",
"type": "related-to"
}
],
"uuid": "53e65db3-5177-56fc-ae07-088c9919463e",
"value": "MS-T805 - Victim-owned websites"
},
{
"description": "A shared access signature (SAS) is a token, that is appended to the a uniform resource identifier (URI) for a storage resource, that grants restricted access rights over the associated resource in your storage account. Attackers may get a SAS token using one of the Credential Access techniques or during the reconnaissance process through social engineering.",
"meta": {
"external_id": "MS-T814",
"kill_chain": [
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/valid-sas-token"
]
},
"uuid": "1900b9ba-0b3c-5ad7-bdd0-ac8c40a8da0a",
"value": "MS-T814 - Valid SAS token"
},
{
"description": "Attackers may get a shared key using one of Credential Access techniques or capture one earlier in their reconnaissance process through social engineering to gain initial access. Adversaries may leverage keys left in source code or configuration files. Sophisticated attackers may also obtain keys from hosts (virtual machines) that have mounted File Share on their system (SMB). Shared key provides unrestricted permissions over all data plane operations.",
"meta": {
"external_id": "MS-T815",
"kill_chain": [
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/valid-shared-key"
]
},
"uuid": "3348438e-9ed7-5aa3-b60b-8c97075c0550",
"value": "MS-T815 - Valid shared key"
},
{
"description": "Attackers may steal account credentials using one of the credential access techniques or capture an account earlier in their reconnaissance process through social engineering to gain initial access. An authorized principal account can result in full control of storage account resources.",
"meta": {
"external_id": "MS-T816",
"kill_chain": [
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/authorized-principal-account"
]
},
"uuid": "ad800a27-4d29-58f4-962e-f3b01acea800",
"value": "MS-T816 - Authorized principal account"
},
{
"description": "Attackers may leverage publicly exposed storage accounts to list containers/blobs and their properties. Azure Storage supports optional anonymous public read access for containers and blobs. By default, anonymous access to your data is never permitted. Unless you explicitly enable anonymous access, all requests to a container and its blobs must be authorized. When you configure a container's public access level setting to permit anonymous access, clients can read data in that container without authorizing the request.",
"meta": {
"external_id": "MS-T817",
"kill_chain": [
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/anonymous-public-read-access"
]
},
"uuid": "3e5fba42-41c6-54ff-8977-e9f861f9e039",
"value": "MS-T817 - Anonymous public read access"
},
{
"description": "Attackers may obtain and abuse credentials of an SFTP account as a means of gaining initial access. SFTP is a prevalent file transfer protocol between a client and a remote service. Once the user connects to the cloud storage service, the user can upload and download blobs and perform other operations that are supported by the protocol. SFTP connection requires SFTP accounts which are managed locally in the storage service instance, including credentials in a form of passwords or key-pairs.",
"meta": {
"external_id": "MS-T825",
"kill_chain": [
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/sftp-credentials"
]
},
"uuid": "abc4f207-7149-54cb-baa8-685506759e03",
"value": "MS-T825 - SFTP credentials"
},
{
"description": "Attackers may perform initial access to a storage account using NFS protocol where enabled. While access is restricted to a list of allowed virtual networks that are configured on the storage account firewall, connection via NFS protocol does not require authentication and can be performed by any source on the specified networks.",
"meta": {
"external_id": "MS-T827",
"kill_chain": [
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/nfs-access"
]
},
"uuid": "6b17039c-ec8b-54af-8363-232d5acef0e3",
"value": "MS-T827 - NFS access"
},
{
"description": "Attackers may perform initial access to a storage account file shares using Server Message Block (SMB) protocol.",
"meta": {
"external_id": "MS-T828",
"kill_chain": [
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/smb-access"
]
},
"uuid": "2ede6cb7-2d42-577d-814d-a767b0dccf83",
"value": "MS-T828 - SMB access"
},
{
"description": "Attackers may set a replication policy between source and destination containers that asynchronously copies objects from source to destination. This feature can be maliciously misused in both directions. Outbound replication can serve as an exfiltration channel of customer data from the victim's container to an adversary's container. Inbound replication can be used to deliver malware from an adversary's container to a victim's container. After the policy is set, the attacker can operate on their container without accessing the victim container.",
"meta": {
"external_id": "MS-T840",
"kill_chain": [
"TMSS-tactics:Exfiltration",
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/object-replication"
]
},
"related": [
{
"dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6",
"type": "related-to"
}
],
"uuid": "8fdc8739-5b51-51c8-b290-f94a3bd07271",
"value": "MS-T840 - Object replication"
},
{
"description": "Attackers may disable firewall protection or set additional firewall rules to masquerade their access channel. Azure Storage offers a set of built-in network access features. Administrators can leverage these capabilities to restrict access to storage resources. Restriction rules can operate at the IP level or VNet IDs. When network rules are configured, only requests originated from authorized subnets will be served.",
"meta": {
"external_id": "MS-T813",
"kill_chain": [
"TMSS-tactics:Defense Evasion",
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/firewall-configuration-changes"
]
},
"uuid": "a608566b-99bc-523c-9e7c-0e220fe2c972",
"value": "MS-T813 - Firewall and virtual networks configuratioin changes"
},
{
"description": "Storage services offer built-in RBAC roles that encompass sets of permissions used to access different data types. Definition of custom roles is also supported. Upon assignment of an RBAC role to an identity object (like Azure AD security principal) the storage provider grants access to that security principal. Attackers may leverage the RBAC mechanism to ensure persistent access to their owned identity objects.",
"meta": {
"external_id": "MS-T808",
"kill_chain": [
"TMSS-tactics:Defense Evasion",
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/rbac-permission"
]
},
"uuid": "bf27614e-18ca-5ab0-add4-610777067754",
"value": "MS-T808 - Role-based access control permission"
},
{
"description": "Attackers may create a high-privileged SAS token with long expiry to preserve valid credentials for a long period. The tokens are not monitored by storage accounts thus they cannot be revoked (except Service SAS) and it's not easy to determine whether there are valid tokens in the wild until they are used.",
"meta": {
"external_id": "MS-T806",
"kill_chain": [
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/create-sas-token"
]
},
"uuid": "5eefa8fc-0ae5-57f1-9a65-389186e25ca4",
"value": "MS-T806 - Create SAS token"
},
{
"description": "Attackers may adjust the container access level property at the granularity of a blob or container, to permit anonymous read access to data in the storage account. This configuration secures a channel to exfiltrate data even if the initial access technique is no longer valid.",
"meta": {
"external_id": "MS-T807",
"kill_chain": [
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/container-access-level-property"
]
},
"uuid": "17061b42-9706-5594-9ac2-2b9dd2150649",
"value": "MS-T807 - Container access level property"
},
{
"description": "Attackers may create an SFTP account to maintain access to a target storage account. The SFTP account is local on the storage instance and is not subject to Azure RBAC permissions. The account is also unaffected in case of storage account access keys rotation.",
"meta": {
"external_id": "MS-T809",
"kill_chain": [
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/sftp-account"
]
},
"uuid": "a31f49b0-5c72-577a-9f73-198daa685f17",
"value": "MS-T809 - SFTP account"
},
{
"description": "Attackers may configure the storage account firewall to allow access by trusted Azure services. Azure Storage provides a predefined list of trusted services. Any resource from that list that belongs to the same subscription as the storage account is allowed by the firewall even if there is no firewall rule that explicitly permits the source address of the resource.",
"meta": {
"external_id": "MS-T830",
"kill_chain": [
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/trusted-azure-services"
]
},
"uuid": "c78756dd-1bb7-5145-bb82-8268b55d1996",
"value": "MS-T830 - Trusted Azure services"
},
{
"description": "Attackers may configure the storage account firewall to allow access by specific resource instances based on their system-assigned managed identity, regardless of their source address. The resource type can be chosen from a predefined list provided by Azure Storage, and the resource instance must be in the same tenant as the storage account. The RBAC permissions of the resource instance determine the types of operations that a resource instance can perform on storage account data.",
"meta": {
"external_id": "MS-T829",
"kill_chain": [
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/trusted-access-managed-identity"
]
},
"uuid": "0f60104b-65bd-5ca4-8286-d83c6310d5b0",
"value": "MS-T829 - Trusted access based on a managed identity"
},
{
"description": "Attackers may set private endpoints for a storage account to establish a separate communication channel from a target virtual network. The new endpoint is assigned with a private IP address within the virtual network's address range. All the requests sent to the private endpoint bypass the storage account firewall by design.",
"meta": {
"external_id": "MS-T812",
"kill_chain": [
"TMSS-tactics:Defense Evasion",
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/private-endpoint"
]
},
"uuid": "b57fb931-e898-59f2-b456-fefce5e19e99",
"value": "MS-T812 - Private endpoint"
},
{
"description": "Storage services offer different types of cloning or backup data stored on them. Attackers may abuse these built-in capabilities to steal sensitive documents, source code, credentials, and other business crucial information.",
"meta": {
"external_id": "MS-T841",
"kill_chain": [
"TMSS-tactics:Defense Evasion"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/storage-data-clone"
]
},
"uuid": "1581f347-b5bf-5237-b4cf-9005fbe0fcf6",
"value": "MS-T841 - Storage data clone"
},
{
"description": "Attackers may fragment stolen information and exfiltrate it on different size chunks to avoid being detected by triggering potentially predefined transfer threshold alerts.",
"meta": {
"external_id": "MS-T831",
"kill_chain": [
"TMSS-tactics:Defense Evasion",
"TMSS-tactics:Exfiltration"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-transfer-size-limits"
]
},
"related": [
{
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
"type": "related-to"
}
],
"uuid": "30de37bf-a416-5f25-8396-a2af42ff437a",
"value": "MS-T831 - Data transfer size limits"
},
{
"description": "Attackers may exploit legitimate automation processes, predefined by the compromised organization, with the goal of having their logging traces blend in normally within the company’s typical activities. Assimilating or disguising malicious intentions will keep adversary actions, such as data theft, stealthier.",
"meta": {
"external_id": "MS-T832",
"kill_chain": [
"TMSS-tactics:Defense Evasion",
"TMSS-tactics:Exfiltration"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/automated-exfiltration"
]
},
"related": [
{
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
"type": "related-to"
}
],
"uuid": "f4a35b50-b56b-5663-8a84-e2235cee712f",
"value": "MS-T832 - Automated exfiltration"
},
{
"description": "Attackers may disable storage account audit logs to prevent event tracking and avoid detection. Audit logs provide a detailed record of operations performed on a target storage account and may be used to detect malicious activities. Thus, disabling these logs can leave a resource vulnerable to attacks without being detected.",
"meta": {
"external_id": "MS-T810",
"kill_chain": [
"TMSS-tactics:Defense Evasion"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/disable-audit-logs"
]
},
"uuid": "ef893695-23f7-5f90-9135-9c50a259abe1",
"value": "MS-T810 - Disable audit logs"
},
{
"description": "Attackers may disable the cloud workload protection service which raises security alerts upon detection of malicious activities in cloud storage services.",
"meta": {
"external_id": "MS-T811",
"kill_chain": [
"TMSS-tactics:Defense Evasion"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/disable-protection-service"
]
},
"uuid": "14af4a95-e84c-52fb-80ac-0f3aeb13a643",
"value": "MS-T811 - Disable cloud workload protection"
},
{
"description": "Attackers may split their requests across geo replicas to reduce the footprint in each region and avoid being detected by various rules and heuristics.",
"meta": {
"external_id": "MS-T833",
"kill_chain": [
"TMSS-tactics:Defense Evasion"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/operations-across-geo-replicas"
]
},
"uuid": "7853ec1a-6440-5119-a719-0cee735f3034",
"value": "MS-T833 - Operations across geo replicas"
},
{
"description": "Attackers may leverage subscription/account-level access to gather storage account keys and use these keys to authenticate at the resource level. This technique exhibits cloud resource pivoting in combination with control management and data planes. Adversaries can query management APIs to fetch primary and secondary storage account keys.",
"meta": {
"external_id": "MS-T818",
"kill_chain": [
"TMSS-tactics:Credential Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/access-key-query"
]
},
"related": [
{
"dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a",
"type": "related-to"
}
],
"uuid": "06735c35-4f9d-5ba4-9f05-7d087eac2e84",
"value": "MS-T818 - Access key query"
},
{
"description": "Cloud Shell is an interactive, authenticated, browser-accessible shell for managing cloud resources. It provides the flexibility of shell experience, either Bash or PowerShell. To support the Cloud Shell promise of being accessible from everywhere, Cloud Shell profiles and session history are saved on storage account. Attackers may leverage the legitimate use of Cloud Shell to impersonate account owners and potentially obtain additional secrets logged as part of session history.",
"meta": {
"external_id": "MS-T834",
"kill_chain": [
"TMSS-tactics:Credential Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/cloud-shell-profiles"
]
},
"uuid": "cf858945-94ff-5d2d-ab02-bfe15626d8b3",
"value": "MS-T834 - Cloud shell profiles"
},
{
"description": "Attackers may sniff network traffic and capture credentials sent over an insecure protocol. When Storage account is configured to support unencrypted protocol such as HTTP, credentials are passed over the wire unprotected and are susceptible to leakage. The attacker can use the compromised credentials to gain initial access to the storage account.",
"meta": {
"external_id": "MS-T819",
"kill_chain": [
"TMSS-tactics:Credential Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/unsecured-communication-channel"
]
},
"related": [
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"type": "related-to"
}
],
"uuid": "37baec71-2c4e-5904-94c4-5bf1c88623b6",
"value": "MS-T819 - Unsecured communication channel"
},
{
"description": "Attackers may leverage access permission to explore the stored objects in the storage account. Tools witnessed, at the reconnaissance phase, are oftentimes used toward this post-compromise information-gathering objective, now with authorization to access storage APIs, such as the List Blobs call.",
"meta": {
"external_id": "MS-T820",
"kill_chain": [
"TMSS-tactics:Discovery"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/storage-service-discovery"
]
},
"uuid": "559ab713-b18f-5649-ab34-608a1f00a663",
"value": "MS-T820 - Storage service discovery"
},
{
"description": "Attackers may leverage control plane access permission to retrieve the storage account configuration. The configuration contains various technical details that may assist the attacker in implementing a variety of tactics. For example, firewall configuration provides network access information. Other parameters may reveal whether access operations are logged. The configuation may also contain the backup policy that may assist the attacker in performing data destruction.",
"meta": {
"external_id": "MS-T835",
"kill_chain": [
"TMSS-tactics:Discovery"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/account-configuration-discovery"
]
},
"uuid": "a58c9198-8b41-5d88-b856-ee48801b3a79",
"value": "MS-T835 - Account configuration discovery"
},
{
"description": "Attackers may use storage services to store a malicious program or toolset that will be executed at later times during their operation. In addition, adversaries may exploit the trust between users and their organization’s Storage services by storing phishing content. Furthermore, storage services can be leveraged to park gathered intelligence that will be exfiltrated when terms suit the actor group.",
"meta": {
"external_id": "MS-T821",
"kill_chain": [
"TMSS-tactics:Lateral Movement"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/malicious-content-upload"
]
},
"uuid": "23539a72-5e00-5775-8f7d-24f364dd5bb7",
"value": "MS-T821 - Malicious content upload"
},
{
"description": "Storage services offer different types of mechanisms to support auto-synchronization between various resources and the storage account. Attackers may leverage access to the storage account to upload malware and benefit from the auto-sync built-in capabilities to have their payload being populated and potentially weaponize multiple systems.",
"meta": {
"external_id": "MS-T822",
"kill_chain": [
"TMSS-tactics:Lateral Movement"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/malware-distribution"
]
},
"uuid": "a7100316-2a71-5b74-a2f2-a2529c08598c",
"value": "MS-T822 - Malware distribution"
},
{
"description": "Attackers may manipulate storage services to trigger a compute service, like Azure Functions, where an attacker already has a foothold on a storage container and can inject a blob that will initiate a chain of a compute process. This may allow an attacker to infiltrate another resource and cause harm.",
"meta": {
"external_id": "MS-T823",
"kill_chain": [
"TMSS-tactics:Lateral Movement"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/trigger-cross-service-interaction"
]
},
"uuid": "f9d6b919-6fe3-59ea-81a3-cbac0daacfa5",
"value": "MS-T823 - Trigger cross-service interaction"
},
{
"description": "Same is applicable for data blobs or files which may be eventually processed on a host by a legitimate application with software vulnerabilities. Attackers may tamper benign data with a payload that exploits a vulnerability on a user's end and execute a malicious code.",
"meta": {
"external_id": "MS-T824",
"kill_chain": [
"TMSS-tactics:Lateral Movement"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/code-injection"
]
},
"uuid": "ac060220-18b4-5757-9f5c-2fd43f2d2f61",
"value": "MS-T824 - Code injection"
},
{
"description": "Attackers may use the \"static website\" feature to exfiltrate collected data outside of the storage account. Static website is a cloud storage provider hosting capability that enables serving static web content directly from the storage account. The website can be reached via an alternative web endpoint which might be overlooked when restricting access to the storage account.",
"meta": {
"external_id": "MS-T836",
"kill_chain": [
"TMSS-tactics:Exfiltration"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/static-website"
]
},
"uuid": "ae3a9c3e-3316-5165-bc98-a1df76acdee2",
"value": "MS-T836 - Static website"
},
{
"description": "Attackers may corrupt or delete data stored on storage services to disrupt the availability of systems or other lines of business.",
"meta": {
"external_id": "MS-T839",
"kill_chain": [
"TMSS-tactics:Impact"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-corruption"
]
},
"uuid": "561d0cdd-ded3-5f52-b542-afd43ca5ca09",
"value": "MS-T839 - Data corruption"
},
{
"description": "Attackers may encrypt data stored on storage services to disrupt the availability of systems or other lines of business. Making resources inaccessible by encrypting files or blobs and withholding access to a decryption key. This may be done to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware).",
"meta": {
"external_id": "MS-T838",
"kill_chain": [
"TMSS-tactics:Impact"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-encryption-for-impact"
]
},
"uuid": "7e243d46-1e08-51ff-af85-cb80f02c7e41",
"value": "MS-T838 - Data encryption for impact (Ransomware)"
},
{
"description": "Attackers may insert or modify data in order to influence external outcomes, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary.",
"meta": {
"external_id": "MS-T837",
"kill_chain": [
"TMSS-tactics:Impact"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-manipulation"
]
},
"uuid": "f0556667-5e4e-51f9-a92c-9e92193d141a",
"value": "MS-T837 - Data manipulation"
}
],
"version": 1
}