A comprehensive attack graph modeling the complete identity breach sequence from external reconnaissance through full administrative compromise
What This Graph Describes
AG-001 models the most prevalent identity breach sequence observed across advanced persistent threat groups, ransomware operators, and cloud-native adversaries. This attack path demonstrates how attackers systematically chain authentication weaknesses, misconfigurations, token abuse, application role exposure, and cloud IAM drift to achieve complete identity-level compromise.
The graph captures real-world attack patterns where adversaries exploit the cascading nature of identity misconfigurations. Each stage builds upon the previous, creating an escalation pathway that transforms initial reconnaissance into full administrative control over identity infrastructure and connected resources.
Authentication Weaknesses
Misconfigurations
Token Abuse
IAM Drift
Attack Sequence: Reconnaissance Phase
Public Surface Analysis
Attacker gathers domain information, UPN formats, and email patterns from publicly exposed identity metadata
Valid User Enumeration
BP-005 techniques identify valid usernames exploiting lack of throttling (MC-AUTH-04)
Credential Acquisition
Password spray attacks (BP-010) succeed through MFA gaps (MC-AUTH-01)
Critical Weakness: Authentication exposure misconfigurations (MC-01, MC-03) make initial enumeration and credential acquisition trivial for adversaries
Login succeeds without MFA enforcement or with weak MFA implementations. Session governance failures (MC-02, MC-03) allow the attacker to establish persistent access without triggering security controls or alerting mechanisms.
Weak session management policies enable the adversary to maintain authenticated sessions across extended timeframes, providing ample opportunity for privilege discovery and escalation activities.
Session Persistence
MC-02 and MC-03 misconfigurations
MFA Bypass
Weak or missing multi-factor authentication controls
Detection Evasion
Authenticated sessions appear legitimate to monitoring systems
BP-027 exploitation of long-lived refresh tokens (MC-01)
Token Lifetime Abuse
Extended token validity windows enable persistent access without re-authentication
Cross-Resource Movement
Cloud IAM overprivilege (MC-01) facilitates lateral movement
Identity-Based Lateral Movement
With stolen tokens and elevated privileges, the attacker traverses the identity infrastructure. Weak cloud IAM configurations (MC-01) allow seamless movement across SaaS applications, Azure resources, AWS services, and GCP environments.
The adversary leverages the trusted identity context to access sensitive systems without triggering cross-tenant or cross-service security boundaries. Each new resource accessed expands the attack surface and provides additional persistence mechanisms.
MC-PIM-01 and MC-PIM-02 weaknesses allow permanent activation of high-privilege roles without proper justification or approval workflows
Group-Based Privilege Loops
Nested group memberships and transitive permissions create unintended administrative access pathways
Full Administrative Control
Attacker achieves Global Administrator or equivalent privileged role assignments across identity platform
Final Stage: Complete Identity Compromise
Attacker Capabilities at Full Compromise
Modify Conditional Access Policies
Disable or weaken security controls protecting identity infrastructure
Create Persistence Backdoors
Establish alternative access methods including service principals, app registrations, and federated identities
Disable Security Logging
Suppress audit trails and monitoring to evade detection during objective execution
Data Exfiltration or Encryption
Access and extract sensitive data or deploy ransomware across connected resources
Critical Impact
At this stage, the attacker possesses full control over the identity infrastructure. Remediation becomes extremely complex as the adversary can monitor defensive actions, create additional persistence mechanisms, and potentially lock out legitimate administrators.
The compromise extends beyond individual accounts to the entire identity governance framework, requiring complete environment rebuild in severe cases.
Advanced persistent threat group known for sophisticated identity infrastructure targeting, OAuth abuse, and long-term persistence within cloud environments. Demonstrates mastery of AG-001 attack sequence.
Token manipulation expertise
Cloud-native attack patterns
Advanced evasion techniques
ICTAM-020 (Ransomware Affiliates)
Ransomware operators leveraging identity compromise for rapid lateral movement and privilege escalation. Frequently exploit MC-PIM-01 and MC-CLOUD-01 for destructive operations.
Speed-focused attack execution
Mass encryption capabilities
Identity-based persistence
Both threat actor models extensively utilize the AG-001 attack path, though with different operational tempos and objectives. APT29 prioritizes stealth and long-term access, while ransomware affiliates focus on rapid compromise and immediate impact.