Microsoft
MicrosoftGarryU Thank you! I definitely understand that having separate data sheets amongst the many different companies is a pain to keep track of and can be annoying. There's a few reasons why we've made this:
1. We've had several teams approach MITRE for a collaboration both in regards to Azure/AAD and other things, and MITRE's standpoint is that they prefer to not integrate TTPs that haven't been documented being used by an APT. This makes sense from a general standpoint as some trivial on-prem attacks would clutter their matrix, but this leads to point #2...
2. MITRE ATT&CK Enterprise is purposely not specific to a certain technology. E.g. you can take a technique and apply it to Windows and Linux. The ATRM is very specific in that it only lists TTPs relating to purely Azure or AzureAD. Because of this, we can then include techniques whether they're proven to be abused by APTs or not.
3. We felt as though since we own Azure/AAD, it is our responsibility to inform of the potential risks when using the platform. Nothing out of the box about Azure is inherently vulnerable, but there's some very easy configuration slip-ups that can have a detrimental impact on a tenant. Thus, we figured there should be no one better than to document on potential defensive suggestions + best practices than us.
Hopefully that answered your question!
