Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
author: descambiado
id: e3a7f1c2-9b4d-4e6a-8c1f-2d5a9b7e4c31
date: '2026-06-10'
description: Added a federated identity credential to an Entra ID service principal,
pointing the trust to an external GitHub Actions OIDC issuer/repo not controlled
by the tenant. Includes one benign Update service principal event (DisplayName
change) with no FederatedIdentityCredentials property, to validate filter specificity.
Tenant specific details have been replaced in the dataset including tenant id,
user names, ips, etc.
environment: attack_range
directory: azure_ad_federated_identity_credential
mitre_technique:
- T1098.001
datasets:
- name: azure-audit
path: /datasets/attack_techniques/T1098.001/azure_ad_federated_identity_credential/azure-audit.log
sourcetype: azure:monitor:aad
source: azure
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
author: descambiado
id: 4b8d2f6a-1c9e-4a3b-9d7f-6e2a4c8b1f95
date: '2026-06-11'
description: Changed the UserType property of an Entra ID guest account from Guest
to Member, removing the tenant-resource restrictions guest accounts normally carry.
Includes one benign Update user event (MobilePhone change) with no UserType property,
to validate filter specificity. Tenant specific details have been replaced in
the dataset including tenant id, user names, ips, etc.
environment: attack_range
directory: azure_ad_guest_user_type_changed_to_member
mitre_technique:
- T1098
datasets:
- name: azure-audit
path: /datasets/attack_techniques/T1098/azure_ad_guest_user_type_changed_to_member/azure-audit.log
sourcetype: azure:monitor:aad
source: azure
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
author: descambiado
id: 7f1a9c3e-5b2d-4f8a-b6e1-3c9d5a7f2b48
date: '2026-06-12'
description: Created a Temporary Access Pass for a Global Administrator account
outside of business hours, granting an MFA/FIDO2-bypassing authentication path
into the account. Tenant specific details have been replaced in the dataset including
tenant id, user names, ips, etc.
environment: attack_range
directory: azure_ad_temporary_access_pass
mitre_technique:
- T1556.006
- T1078.004
datasets:
- name: azure-audit
path: /datasets/attack_techniques/T1556.006/azure_ad_temporary_access_pass/azure-audit.log
sourcetype: azure:monitor:aad
source: azure