mapping_objects: - attack_object_id: T1102.001 attack_object_name: Dead Drop Resolver capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1102.002 attack_object_name: Bidirectional Communication capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1102.003 attack_object_name: One-Way Communication capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1102 attack_object_name: Web Service capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1204.003 attack_object_name: Malicious Image capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1029 attack_object_name: Scheduled Transfer capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1090.001 attack_object_name: Internal Proxy capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1090.002 attack_object_name: External Proxy capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1542.005 attack_object_name: TFTP Boot capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1542.004 attack_object_name: ROMMONkit capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1104 attack_object_name: Multi-Stage Channels capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1570 attack_object_name: Lateral Tool Transfer capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1008 attack_object_name: Fallback Channels capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1573.001 attack_object_name: Symmetric Cryptography capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1573 attack_object_name: Encrypted Channel capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1573.002 attack_object_name: Asymmetric Cryptography capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1568.002 attack_object_name: Domain Generation Algorithms capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1568 attack_object_name: Dynamic Resolution capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1030 attack_object_name: Data Transfer Size Limits capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1048.001 attack_object_name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1132.002 attack_object_name: Non-Standard Encoding capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1132.001 attack_object_name: Standard Encoding capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1132 attack_object_name: Data Encoding capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1071.005 attack_object_name: Publish/Subscribe Protocols capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1071.002 attack_object_name: File Transfer Protocols capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1071.003 attack_object_name: Mail Protocols capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1071.004 attack_object_name: DNS capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1557.004 attack_object_name: Evil Twin capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1557.001 attack_object_name: LLMNR/NBT-NS Poisoning and SMB Relay capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1557.003 attack_object_name: DHCP Spoofing capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1219 attack_object_name: Remote Access Software capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1218.015 attack_object_name: Electron Applications capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1218.010 attack_object_name: Regsvr32 capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1218.011 attack_object_name: Rundll32 capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1218 attack_object_name: System Binary Proxy Execution capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1221 attack_object_name: Template Injection capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1027.002 attack_object_name: Software Packing capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1027.013 attack_object_name: Encrypted/Encoded File capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1027.014 attack_object_name: Polymorphic Code capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1566.003 attack_object_name: Spearphishing via Service capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1027.012 attack_object_name: LNK Icon Smuggling capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1027.009 attack_object_name: Embedded Payloads capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1036.008 attack_object_name: Masquerade File Type capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1059.005 attack_object_name: Visual Basic capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1059.006 attack_object_name: Python capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1001.002 attack_object_name: Steganography capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1001.001 attack_object_name: Junk Data capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1001.003 attack_object_name: Protocol or Service Impersonation capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: "This diagnostic statement provides for implementation of methods to block\ \ similar future attacks via security tools such as antivirus and IDS/IPS to provide\ \ protection against threats and exploitation attempts.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1001 attack_object_name: Data Obfuscation capability_description: Event analysis and detection capability_group: DE.AE capability_id: DE.AE-02.01 comments: 'This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts. ' mapping_type: mitigates references: [] - attack_object_id: T1006 attack_object_name: Direct Volume Access capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1221 attack_object_name: Template Injection capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1027.002 attack_object_name: Software Packing capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1027.014 attack_object_name: Polymorphic Code capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1027.013 attack_object_name: Encrypted/Encoded File capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1027.012 attack_object_name: LNK Icon Smuggling capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1027.010 attack_object_name: Command Obfuscation capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1027.009 attack_object_name: Embedded Payloads capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1036.008 attack_object_name: Masquerade File Type capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1564.012 attack_object_name: File/Path Exclusions capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1059.005 attack_object_name: Visual Basic capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1059.006 attack_object_name: Python capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1078.001 attack_object_name: Default Accounts capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1078.002 attack_object_name: Domain Accounts capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1021.008 attack_object_name: Direct Cloud VM Connections capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1021.002 attack_object_name: SMB/Windows Admin Shares capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1021.004 attack_object_name: SSH capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1021.006 attack_object_name: Windows Remote Management capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1021.005 attack_object_name: VNC capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1021.003 attack_object_name: Distributed Component Object Model capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1136.001 attack_object_name: Local Account capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1136.002 attack_object_name: Domain Account capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1098.006 attack_object_name: Additional Container Cluster Roles capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1098.002 attack_object_name: Additional Email Delegate Permissions capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1648 attack_object_name: Serverless Execution capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1606.002 attack_object_name: SAML Tokens capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1601.002 attack_object_name: Downgrade System Image capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1601.001 attack_object_name: Patch System Image capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1601 attack_object_name: Modify System Image capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1569.002 attack_object_name: Service Execution capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1569 attack_object_name: System Services capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1563.001 attack_object_name: SSH Hijacking capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1558.002 attack_object_name: Silver Ticket capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1558.001 attack_object_name: Golden Ticket capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1556.005 attack_object_name: Reversible Encryption capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1556.003 attack_object_name: Pluggable Authentication Modules capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1556.004 attack_object_name: Network Device Authentication capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1543.002 attack_object_name: Systemd Service capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1547.006 attack_object_name: Kernel Modules and Extensions capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1548.002 attack_object_name: Bypass User Account Control capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1548.003 attack_object_name: Sudo and Sudo Caching capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1548.006 attack_object_name: TCC Manipulation capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1484.001 attack_object_name: Group Policy Modification capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1542.001 attack_object_name: System Firmware capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1542.003 attack_object_name: Bootkit capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1021.006 attack_object_name: Windows Remote Management capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1599.001 attack_object_name: Network Address Translation Traversal capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1599 attack_object_name: Network Boundary Bridging capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1555.006 attack_object_name: Cloud Secrets Management Stores capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1552.002 attack_object_name: Credentials in Registry capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1548.003 attack_object_name: Sudo and Sudo Caching capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1548.002 attack_object_name: Bypass User Account Control capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1546.003 attack_object_name: Windows Management Instrumentation Event Subscription capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1542.005 attack_object_name: TFTP Boot capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1505.001 attack_object_name: SQL Stored Procedures capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1505.002 attack_object_name: Transport Agent capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1200 attack_object_name: Hardware Additions capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1134.002 attack_object_name: Create Process with Token capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1134.001 attack_object_name: Token Impersonation/Theft capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1134.003 attack_object_name: Make and Impersonate Token capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1136.001 attack_object_name: Local Account capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1136.002 attack_object_name: Domain Account capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1610 attack_object_name: Deploy Container capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversary deployment of a container. mapping_type: mitigates references: [] - attack_object_id: T1557.001 attack_object_name: LLMNR/NBT-NS Poisoning and SMB Relay capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can prevent leveraging for AiTM conditions. mapping_type: mitigates references: [] - attack_object_id: T1557.003 attack_object_name: DHCP Spoofing capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can prevent leveraging for AiTM conditions. mapping_type: mitigates references: [] - attack_object_id: T1218 attack_object_name: System Binary Proxy Execution capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic can help to mitigate this technique. mapping_type: mitigates references: [] - attack_object_id: T1071.004 attack_object_name: DNS capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of application layer protocols. mapping_type: mitigates references: [] - attack_object_id: T1495 attack_object_name: Firmware Corruption capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse. mapping_type: mitigates references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks. mapping_type: mitigates references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks. mapping_type: mitigates references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks. mapping_type: mitigates references: [] - attack_object_id: T1137.005 attack_object_name: Outlook Rules capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: 'This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started. ' mapping_type: mitigates references: [] - attack_object_id: T1137 attack_object_name: Office Application Startup capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: 'This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started. ' mapping_type: mitigates references: [] - attack_object_id: T1137.003 attack_object_name: Outlook Forms capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: 'This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started. ' mapping_type: mitigates references: [] - attack_object_id: T1542.001 attack_object_name: System Firmware capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse. mapping_type: mitigates references: [] - attack_object_id: T1542.002 attack_object_name: Component Firmware capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse. mapping_type: mitigates references: [] - attack_object_id: T1137.001 attack_object_name: Office Template Macros capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1137.002 attack_object_name: Office Test capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1137.003 attack_object_name: Outlook Forms capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1137.004 attack_object_name: Outlook Home Page capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1137.005 attack_object_name: Outlook Rules capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1137.006 attack_object_name: Add-ins capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1055.001 attack_object_name: Dynamic-link Library Injection capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1055.002 attack_object_name: Portable Executable Injection capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1055.003 attack_object_name: Thread Execution Hijacking capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1055.004 attack_object_name: Asynchronous Procedure Call capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1055.005 attack_object_name: Thread Local Storage capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1055.008 attack_object_name: Ptrace System Calls capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1055.009 attack_object_name: Proc Memory capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1055 attack_object_name: Process Injection capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1055.012 attack_object_name: Process Hollowing capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1055.013 attack_object_name: "Process Doppelg\xE4nging" capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1055.014 attack_object_name: VDSO Hijacking capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1221 attack_object_name: Template Injection capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to prevent documents from fetching and/or executing malicious payloads. mapping_type: mitigates references: [] - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding, or obfuscating. mapping_type: mitigates references: [] - attack_object_id: T1221 attack_object_name: Template Injection capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1566.003 attack_object_name: Spearphishing via Service capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1027.013 attack_object_name: Encrypted/Encoded File capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1027.014 attack_object_name: Polymorphic Code capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1027.002 attack_object_name: Software Packing capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1027.010 attack_object_name: Command Obfuscation capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1027.012 attack_object_name: LNK Icon Smuggling capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1036.008 attack_object_name: Masquerade File Type capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1564.012 attack_object_name: File/Path Exclusions capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1059.006 attack_object_name: Python capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1059.005 attack_object_name: Visual Basic capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1053 attack_object_name: Scheduled Task/Job capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1552.003 attack_object_name: Bash History capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1003.002 attack_object_name: Security Account Manager capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1003.005 attack_object_name: Cached Domain Credentials capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1542.005 attack_object_name: TFTP Boot capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1027.009 attack_object_name: Embedded Payloads capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1053.002 attack_object_name: At capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1053.005 attack_object_name: Scheduled Task capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1562.003 attack_object_name: Impair Command History Logging capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1036.007 attack_object_name: Double File Extension capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1556.002 attack_object_name: Password Filter DLL capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1556.008 attack_object_name: Network Provider DLL capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1135 attack_object_name: Network Share Discovery capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1003.001 attack_object_name: LSASS Memory capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1197 attack_object_name: BITS Jobs capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1092 attack_object_name: Communication Through Removable Media capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1136.002 attack_object_name: Domain Account capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1543.003 attack_object_name: Windows Service capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1546.008 attack_object_name: Accessibility Features capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1011 attack_object_name: Exfiltration Over Other Network Medium capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1011.001 attack_object_name: Exfiltration Over Bluetooth capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1564.002 attack_object_name: Hidden Users capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1574.006 attack_object_name: Dynamic Linker Hijacking capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1087.002 attack_object_name: Domain Account capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1666 attack_object_name: Modify Cloud Resource Hierarchy capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1137 attack_object_name: Office Application Startup capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1137.002 attack_object_name: Office Test capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1598 attack_object_name: Phishing for Information capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1598.002 attack_object_name: Spearphishing Attachment capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1598.003 attack_object_name: Spearphishing Link capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1553 attack_object_name: Subvert Trust Controls capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1553.004 attack_object_name: Install Root Certificate capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1535 attack_object_name: Unused/Unsupported Cloud Regions capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1550.004 attack_object_name: Web Session Cookie capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1547.006 attack_object_name: Kernel Modules and Extensions capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1548.001 attack_object_name: Setuid and Setgid capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1548.003 attack_object_name: Sudo and Sudo Caching capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1087.001 attack_object_name: Local Account capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1559.002 attack_object_name: Dynamic Data Exchange capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1543.005 attack_object_name: Container Service capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1555.005 attack_object_name: Password Managers capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1213.001 attack_object_name: Confluence capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1213.003 attack_object_name: Code Repositories capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1213.004 attack_object_name: Customer Relationship Management Software capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1213.005 attack_object_name: Messaging Applications capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1606.001 attack_object_name: Web Cookies capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1562.006 attack_object_name: Indicator Blocking capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1562.009 attack_object_name: Safe Mode Boot capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1562.010 attack_object_name: Downgrade Attack capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1559 attack_object_name: Inter-Process Communication capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Configuration baselines capability_group: PR.PS capability_id: PR.PS-01.01 comments: This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1552.003 attack_object_name: Bash History capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: TThis diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1003.002 attack_object_name: Security Account Manager capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1003.005 attack_object_name: Cached Domain Credentials capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: TThis diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1542.005 attack_object_name: TFTP Boot capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1053 attack_object_name: Scheduled Task/Job capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1053.002 attack_object_name: At capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1053.005 attack_object_name: Scheduled Task capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1562.003 attack_object_name: Impair Command History Logging capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1036.007 attack_object_name: Double File Extension capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1556.002 attack_object_name: Password Filter DLL capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1556.008 attack_object_name: Network Provider DLL capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1135 attack_object_name: Network Share Discovery capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1003.001 attack_object_name: LSASS Memory capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1197 attack_object_name: BITS Jobs capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1092 attack_object_name: Communication Through Removable Media capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1136.002 attack_object_name: Domain Account capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1543.003 attack_object_name: Windows Service capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1546.008 attack_object_name: Accessibility Features capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1011 attack_object_name: Exfiltration Over Other Network Medium capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1011.001 attack_object_name: Exfiltration Over Bluetooth capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1564.002 attack_object_name: Hidden Users capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1574.006 attack_object_name: Dynamic Linker Hijacking capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1087.002 attack_object_name: Domain Account capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1666 attack_object_name: Modify Cloud Resource Hierarchy capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1137 attack_object_name: Office Application Startup capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1137.002 attack_object_name: Office Test capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1598 attack_object_name: Phishing for Information capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1598.002 attack_object_name: Spearphishing Attachment capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1598.003 attack_object_name: Spearphishing Link capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1553 attack_object_name: Subvert Trust Controls capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1553.004 attack_object_name: Install Root Certificate capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1535 attack_object_name: Unused/Unsupported Cloud Regions capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1550.004 attack_object_name: Web Session Cookie capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1548.001 attack_object_name: Setuid and Setgid capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1548.003 attack_object_name: Sudo and Sudo Caching capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1087.001 attack_object_name: Local Account capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1559.002 attack_object_name: Dynamic Data Exchange capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1543.005 attack_object_name: Container Service capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1555.005 attack_object_name: Password Managers capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1213.001 attack_object_name: Confluence capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1213.003 attack_object_name: Code Repositories capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1213.004 attack_object_name: Customer Relationship Management Software capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1213.005 attack_object_name: Messaging Applications capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1606.001 attack_object_name: Web Cookies capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1562.006 attack_object_name: Indicator Blocking capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1562.009 attack_object_name: Safe Mode Boot capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1562.010 attack_object_name: Downgrade Attack capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1559 attack_object_name: Inter-Process Communication capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1558.001 attack_object_name: Golden Ticket capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets. mapping_type: mitigates references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions. mapping_type: mitigates references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions. mapping_type: mitigates references: [] - attack_object_id: T1559 attack_object_name: Inter-Process Communication capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Set service account access restrictions to grant only the minimum necessary permissions to mitigate abuse of inter-process communication (IPC) mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via remote services that use service accounts. mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via cloud services service accounts. mapping_type: mitigates references: [] - attack_object_id: T1021.002 attack_object_name: SMB/Windows Admin Shares capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Block the SMB/Windows Admin Shares service account to mitigate exploitation. mapping_type: mitigates references: [] - attack_object_id: T1021.006 attack_object_name: Windows Remote Management capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via the WinRM service account. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Use least privilege for service accounts to limit what permissions the exploited process gets on the rest of the system. mapping_type: mitigates references: [] - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Restrict administrative privileges to mitigate this technique. mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Third-party access management capability_group: PR.AA capability_id: PR.AA-05.04 comments: "This diagnostic statement includes implementation of controls for third-party\ \ access to an organization\u2019s systems. Conditional access policies can be\ \ used to block logins from non-compliant devices or from outside defined IP ranges. " mapping_type: mitigates references: [] - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Third-party access management capability_group: PR.AA capability_id: PR.AA-05.04 comments: "This diagnostic statement includes implementation of controls for third-party\ \ access to an organization\u2019s systems. Enforcing third-party account use\ \ policies to include account lockout policies after a certain number of failed\ \ login attempts mitigates the risk of brute-force attacks. " mapping_type: mitigates references: [] - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Third-party access management capability_group: PR.AA capability_id: PR.AA-05.04 comments: "This diagnostic statement includes implementation of controls for third-party\ \ access to an organization\u2019s systems. Enforcing third-party account use\ \ policies to include account lockout policies after a certain number of failed\ \ login attempts mitigates the risk of brute-force attacks. " mapping_type: mitigates references: [] - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Third-party access management capability_group: PR.AA capability_id: PR.AA-05.04 comments: "This diagnostic statement includes implementation of controls for third-party\ \ access to an organization\u2019s systems. Enforcing third-party account use\ \ policies to include account lockout policies after a certain number of failed\ \ login attempts mitigates the risk of brute-force attacks. " mapping_type: mitigates references: [] - attack_object_id: T1606.001 attack_object_name: Web Cookies capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1543.003 attack_object_name: Windows Service capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1543.004 attack_object_name: Launch Daemon capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1543.002 attack_object_name: Systemd Service capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1098.004 attack_object_name: SSH Authorized Keys capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1098.005 attack_object_name: Device Registration capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1098.006 attack_object_name: Additional Container Cluster Roles capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1098.007 attack_object_name: Additional Local or Domain Groups capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit. mapping_type: mitigates references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Data Destruction through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1485.001 attack_object_name: Lifecycle-Triggered Deletion capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Lifecycle-Triggered Deletion through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Data Encrypted for Impact through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1491 attack_object_name: Defacement capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Defacement through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1491.001 attack_object_name: Internal Defacement capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Internal Defacement through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1491.002 attack_object_name: External Defacement capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against External Defacement through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1561 attack_object_name: Disk Wipe capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Disk Wipe through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1561.001 attack_object_name: Disk Content Wipe capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Disk Content Wipe through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1561.002 attack_object_name: Disk Structure Wipe capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Disk Structure Wipe through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Inhibit System Recovery through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1020 attack_object_name: Automated Exfiltration capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Automated Exfiltration through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1020.001 attack_object_name: Traffic Duplication capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Traffic Duplication through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Data from Local System through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1025 attack_object_name: Data from Removable Media capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Data from Removable Media through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Exfiltration Over Asymmetric Encrypted Non-C2 Protocol through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Exfiltration Over Unencrypted Non-C2 Protocol through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Exfiltration Over C2 Channel through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1052 attack_object_name: Exfiltration Over Physical Medium capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Exfiltration Over Physical Medium through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1052.001 attack_object_name: Exfiltration over USB capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Exfiltration over USB through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Exfiltration Over Web Service through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1567.004 attack_object_name: Exfiltration Over Webhook capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Exfiltration Over Webhook through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Alternative resilience mechanisms capability_group: PR.IR capability_id: PR.IR-03.01 comments: This diagnostic statement protects against Transfer Data to Cloud Account through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services. mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). mapping_type: mitigates references: [] - attack_object_id: T1078.002 attack_object_name: Domain Accounts capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). mapping_type: mitigates references: [] - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). mapping_type: mitigates references: [] - attack_object_id: T1559 attack_object_name: Inter-Process Communication capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement protects inter-process communication mechanisms from abuse through secure development practices, such as enabling the Hardened Runtime capability when developing applications. mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement provides for the implementation of secure development practices, such as implementing token binding strategies which can help prevent malicious use of application access tokens. mapping_type: mitigates references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement protects against Exploitation for Credential Access through the implementation of measures in the application to validate authentication requests by enabling one-time passwords, providing timestamps or sequence numbers for messages sent, using digital signatures, and/or using random session keys. mapping_type: mitigates references: [] - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions. mapping_type: mitigates references: [] - attack_object_id: T1564.009 attack_object_name: Resource Forking capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions. mapping_type: mitigates references: [] - attack_object_id: T1564.012 attack_object_name: File/Path Exclusions capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions. mapping_type: mitigates references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement provides for secure application development processes and procedures, such as including hash values in manifest files to help prevent side-loading of malicious libraries. mapping_type: mitigates references: [] - attack_object_id: T1574.002 attack_object_name: DLL Side-Loading capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement provides for secure application development processes and procedures, such as including hash values in manifest files to help prevent side-loading of malicious libraries. mapping_type: mitigates references: [] - attack_object_id: T1559.003 attack_object_name: XPC Services capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement protects inter-process communication mechanisms from abuse through secure development practices, such as enabling the Hardened Runtime capability when developing applications. mapping_type: mitigates references: [] - attack_object_id: T1647 attack_object_name: Plist File Modification capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement helps protect the modification of property list files (plist files) through secure development practices, such as enabling hardened runtime. mapping_type: mitigates references: [] - attack_object_id: T1496.003 attack_object_name: SMS Pumping capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement helps provides for secure development practices, such as implementing CAPTCHA protection on forms that send messages via SMS. mapping_type: mitigates references: [] - attack_object_id: T1593 attack_object_name: Search Open Websites/Domains capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement provides for the use of secure development processes and procedures. This includes avoiding publishing sensitive information such as credentials and API keys when uploading to public code repositories. mapping_type: mitigates references: [] - attack_object_id: T1593.003 attack_object_name: Code Repositories capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement provides for the use of secure development processes and procedures. This includes avoiding publishing sensitive information such as credentials and API keys when uploading to public code repositories. mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement provides for the use of secure development processes and procedures. This includes being cautious when selecting third-party libraries to integrate into applications. mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement provides secure application development, such as implementing token binding strategies to help prevent the malicious use of application access tokens. mapping_type: mitigates references: [] - attack_object_id: T1078.001 attack_object_name: Default Accounts capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: Secure SDLC process capability_group: PR.PS capability_id: PR.PS-06.01 comments: This diagnostic statement provides for the use of secure development processes and procedures. This includes being cautious when selecting third-party libraries to integrate into applications. mapping_type: mitigates references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity. mapping_type: mitigates references: [] - attack_object_id: T1574.001 attack_object_name: DLL Search Order Hijacking capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity. mapping_type: mitigates references: [] - attack_object_id: T1574.002 attack_object_name: DLL Side-Loading capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity. mapping_type: mitigates references: [] - attack_object_id: T1574.006 attack_object_name: Dynamic Linker Hijacking capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity. mapping_type: mitigates references: [] - attack_object_id: T1574.007 attack_object_name: Path Interception by PATH Environment Variable capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity. mapping_type: mitigates references: [] - attack_object_id: T1574.008 attack_object_name: Path Interception by Search Order Hijacking capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity. mapping_type: mitigates references: [] - attack_object_id: T1574.009 attack_object_name: Path Interception by Unquoted Path capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity. mapping_type: mitigates references: [] - attack_object_id: T1574.012 attack_object_name: COR_PROFILER capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity. mapping_type: mitigates references: [] - attack_object_id: T1574.013 attack_object_name: KernelCallbackTable capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity. mapping_type: mitigates references: [] - attack_object_id: T1003.006 attack_object_name: DCSync capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against DCSync through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1003.007 attack_object_name: Proc Filesystem capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Proc Filesystem through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1003.008 attack_object_name: /etc/passwd and /etc/shadow capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against /etc/passwd and /etc/shadow through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Remote Services through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Remote Desktop Protocol through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1021.002 attack_object_name: SMB/Windows Admin Shares capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against SMB/Windows Admin Shares through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1021.003 attack_object_name: Distributed Component Object Model capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Distributed Component Object Model through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1021.004 attack_object_name: SSH capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against SSH through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1021.006 attack_object_name: Windows Remote Management capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Windows Remote Management through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Cloud Services through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Network Sniffing through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Windows Management Instrumentation through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1053 attack_object_name: Scheduled Task/Job capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Scheduled Task/Job through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1053.002 attack_object_name: At capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against At through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1053.005 attack_object_name: Scheduled Task capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Scheduled Task through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1053.006 attack_object_name: Systemd Timers capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Systemd Timers through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1053.007 attack_object_name: Container Orchestration Job capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Container Orchestration Job through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1055 attack_object_name: Process Injection capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Process Injection through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1055.008 attack_object_name: Ptrace System Calls capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Ptrace System Calls through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1056 attack_object_name: Input Capture capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Input Capture through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1056.003 attack_object_name: Web Portal Capture capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Web Portal Capture through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Command and Scripting Interpreter through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against PowerShell through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1059.008 attack_object_name: Network Device CLI capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Network Device CLI through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Cloud API through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Software Deployment Tools through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Valid Accounts through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1078.001 attack_object_name: Default Accounts capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Default Accounts through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1078.002 attack_object_name: Domain Accounts capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Domain Accounts through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Local Accounts through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Cloud Accounts through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Account Manipulation through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Additional Cloud Credentials through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1098.002 attack_object_name: Additional Email Delegate Permissions capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Additional Email Delegate Permissions through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Additional Cloud Roles through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1098.005 attack_object_name: Device Registration capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Device Registration through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1098.006 attack_object_name: Additional Container Cluster Roles capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Additional Container Cluster Roles through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Brute Force through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Password Guessing through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Password Cracking through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Password Spraying through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Credential Stuffing through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Email Collection through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Remote Email Collection through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against External Remote Services through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1134 attack_object_name: Access Token Manipulation capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Access Token Manipulation through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1134.001 attack_object_name: Token Impersonation/Theft capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Token Impersonation/Theft through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1134.002 attack_object_name: Create Process with Token capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Create Process with Token through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1134.003 attack_object_name: Make and Impersonate Token capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Make and Impersonate Token through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Create Account through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1136.001 attack_object_name: Local Account capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Local Account through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1136.002 attack_object_name: Domain Account capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Domain Account through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Cloud Account through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Exploit Public-Facing Application through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Trusted Relationship through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Exploitation of Remote Services through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Data from Information Repositories through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1213.003 attack_object_name: Code Repositories capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Code Repositories through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1218 attack_object_name: System Binary Proxy Execution capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against System Binary Proxy Execution through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1218.007 attack_object_name: Msiexec capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Msiexec through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1222 attack_object_name: File and Directory Permissions Modification capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1222.001 attack_object_name: Windows File and Directory Permissions Modification capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Windows File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1222.002 attack_object_name: Linux and Mac File and Directory Permissions Modification capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Linux and Mac File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Domain or Tenant Policy Modification through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Trust Modification through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Data Destruction through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1495 attack_object_name: Firmware Corruption capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Firmware Corruption through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Server Software Component through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1505.001 attack_object_name: SQL Stored Procedures capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against SQL Stored Procedures through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1505.002 attack_object_name: Transport Agent capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Transport Agent through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1505.004 attack_object_name: IIS Components capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against IIS Components through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Implant Internal Image through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Data from Cloud Storage through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Steal Web Session Cookie through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1542 attack_object_name: Pre-OS Boot capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Pre-OS Boot through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1542.001 attack_object_name: System Firmware capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against System Firmware through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1542.003 attack_object_name: Bootkit capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Bootkit through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1542.005 attack_object_name: TFTP Boot capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against TFTP Boot through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Create or Modify System Process through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1543.002 attack_object_name: Systemd Service capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Systemd Service through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Event Triggered Execution through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1546.003 attack_object_name: Windows Management Instrumentation Event Subscription capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Windows Management Instrumentation Event Subscription through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Boot or Logon Autostart Execution through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1547.006 attack_object_name: Kernel Modules and Extensions capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Kernel Modules and Extensions through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Abuse Elevation Control Mechanism through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1548.002 attack_object_name: Bypass User Account Control capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Bypass User Account Control through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1548.003 attack_object_name: Sudo and Sudo Caching capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Sudo and Sudo Caching through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1548.006 attack_object_name: TCC Manipulation capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against TCC Manipulation through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Use Alternate Authentication Material through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Pass the Hash through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1550.003 attack_object_name: Pass the Ticket capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Pass the Ticket through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Unsecured Credentials through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1552.002 attack_object_name: Credentials in Registry capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Credentials in Registry through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Container API through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1553 attack_object_name: Subvert Trust Controls capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Subvert Trust Controls through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1553.006 attack_object_name: Code Signing Policy Modification capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Code Signing Policy Modification through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Credentials from Password Stores through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1555.006 attack_object_name: Cloud Secrets Management Stores capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Cloud Secrets Management Stores through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Modify Authentication Process through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1556.001 attack_object_name: Domain Controller Authentication capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Domain Controller Authentication through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1556.003 attack_object_name: Pluggable Authentication Modules capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Pluggable Authentication Modules through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1556.004 attack_object_name: Network Device Authentication capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Network Device Authentication through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1556.005 attack_object_name: Reversible Encryption capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Reversible Encryption through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Multi-Factor Authentication through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Hybrid Identity through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1558.001 attack_object_name: Golden Ticket capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Golden Ticket through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1558.002 attack_object_name: Silver Ticket capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Silver Ticket through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Kerberoasting through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1559 attack_object_name: Inter-Process Communication capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Inter-Process Communication through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1559.001 attack_object_name: Component Object Model capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Component Object Model through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Impair Defenses through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1562.009 attack_object_name: Safe Mode Boot capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Safe Mode Boot through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Remote Service Session Hijacking through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1563.001 attack_object_name: SSH Hijacking capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against SSH Hijacking through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against RDP Hijacking through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1569 attack_object_name: System Services capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against System Services through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1569.002 attack_object_name: Service Execution capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Service Execution through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1599 attack_object_name: Network Boundary Bridging capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Network Boundary Bridging through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1599.001 attack_object_name: Network Address Translation Traversal capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Network Address Translation Traversal through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1601 attack_object_name: Modify System Image capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Modify System Image through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1601.001 attack_object_name: Patch System Image capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Patch System Image through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1601.002 attack_object_name: Downgrade System Image capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Downgrade System Image through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Forge Web Credentials through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1606.002 attack_object_name: SAML Tokens capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against SAML Tokens through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1609 attack_object_name: Container Administration Command capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Container Administration Command through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1611 attack_object_name: Escape to Host capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Escape to Host through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1612 attack_object_name: Build Image on Host capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Build Image on Host through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1621 attack_object_name: Multi-Factor Authentication Request Generation capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Multi-Factor Authentication Request Generation through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Privileged system access capability_group: PR.AA capability_id: PR.AA-05.02 comments: This diagnostic statement protects against Cloud Administration Command through the use of privileged account management and the use of multi-factor authentication. mapping_type: mitigates references: [] - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against OS Credential Dumping through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1003.001 attack_object_name: LSASS Memory capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against LSASS Memory through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Masquerading through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1036.001 attack_object_name: Invalid Code Signature capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Invalid Code Signature through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1036.005 attack_object_name: Match Legitimate Name or Location capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Match Legitimate Name or Location through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Command and Scripting Interpreter through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against PowerShell through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1059.002 attack_object_name: AppleScript capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against AppleScript through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1127 attack_object_name: Trusted Developer Utilities Proxy Execution capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Trusted Developer Utilities Proxy Execution through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1127.002 attack_object_name: ClickOnce capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against ClickOnce through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1176 attack_object_name: Browser Extensions capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Browser Extensions through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Supply Chain Compromise through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Compromise Software Dependencies and Development Tools through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1204.003 attack_object_name: Malicious Image capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Malicious Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1213.004 attack_object_name: Customer Relationship Management Software capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Customer Relationship Management Software through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1495 attack_object_name: Firmware Corruption capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Firmware Corruption through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Server Software Component through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1505.001 attack_object_name: SQL Stored Procedures capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against SQL Stored Procedures through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1505.002 attack_object_name: Transport Agent capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Transport Agent through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1505.004 attack_object_name: IIS Components capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against IIS Components through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Implant Internal Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Transfer Data to Cloud Account through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Steal Web Session Cookie through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1542 attack_object_name: Pre-OS Boot capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Pre-OS Boot through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1542.001 attack_object_name: System Firmware capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against System Firmware through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1542.003 attack_object_name: Bootkit capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Bootkit through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1542.004 attack_object_name: ROMMONkit capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against ROMMONkit through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1542.005 attack_object_name: TFTP Boot capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against TFTP Boot through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Create or Modify System Process through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1543.002 attack_object_name: Systemd Service capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Systemd Service through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1543.003 attack_object_name: Windows Service capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Windows Service through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1546.006 attack_object_name: LC_LOAD_DYLIB Addition capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against LC_LOAD_DYLIB Addition through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1546.013 attack_object_name: PowerShell Profile capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against PowerShell Profile through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1547.002 attack_object_name: Authentication Package capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Authentication Package through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1547.005 attack_object_name: Security Support Provider capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Security Support Provider through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1547.008 attack_object_name: LSASS Driver capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against LSASS Driver through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1547.013 attack_object_name: XDG Autostart Entries capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against XDG Autostart Entries through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1553.006 attack_object_name: Code Signing Policy Modification capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Code Signing Policy Modification through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1554 attack_object_name: Compromise Host Software Binary capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Compromise Host Software Binary through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Modify Authentication Process through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1556.001 attack_object_name: Domain Controller Authentication capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Domain Controller Authentication through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Hijack Execution Flow through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1574.001 attack_object_name: DLL Search Order Hijacking capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against DLL Search Order Hijacking through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1601 attack_object_name: Modify System Image capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Modify System Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1601.001 attack_object_name: Patch System Image capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Patch System Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1601.002 attack_object_name: Downgrade System Image capability_description: Software and data integrity checking capability_group: DE.CM capability_id: DE.CM-09.01 comments: This diagnostic statement protects against Downgrade System Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Abuse Elevation Control Mechanism through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1548.002 attack_object_name: Bypass User Account Control capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Bypass User Account Control through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1548.003 attack_object_name: Sudo and Sudo Caching capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Sudo and Sudo Caching through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1548.006 attack_object_name: TCC Manipulation capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against TCC Manipulation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1134 attack_object_name: Access Token Manipulation capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Access Token Manipulation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1134.001 attack_object_name: Token Impersonation/Theft capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Token Impersonation/Theft through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1134.002 attack_object_name: Create Process with Token capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Create Process with Token through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1134.003 attack_object_name: Make and Impersonate Token capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Make and Impersonate Token through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Account Manipulation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Additional Cloud Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1098.002 attack_object_name: Additional Email Delegate Permissions capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Additional Email Delegate Permissions through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Additional Cloud Roles through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Cloud Administration Command through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against PowerShell through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1059.008 attack_object_name: Network Device CLI capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Network Device CLI through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Cloud API through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1609 attack_object_name: Container Administration Command capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Container Administration Command through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1136.001 attack_object_name: Local Account capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Local Account through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1136.002 attack_object_name: Domain Account capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Domain Account through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Cloud Account through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Credentials from Password Stores through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1555.006 attack_object_name: Cloud Secrets Management Stores capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Cloud Secrets Management Stores through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Domain or Tenant Policy Modification through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Trust Modification through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Exploit Public-Facing Application through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Exploitation of Remote Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Forge Web Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1606.002 attack_object_name: SAML Tokens capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against SAML Tokens through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1056.003 attack_object_name: Web Portal Capture capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Web Portal Capture through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Modify Authentication Process through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1556.001 attack_object_name: Domain Controller Authentication capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Domain Controller Authentication through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1556.003 attack_object_name: Pluggable Authentication Modules capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Pluggable Authentication Modules through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1556.004 attack_object_name: Network Device Authentication capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Network Device Authentication through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Hybrid Identity through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1599 attack_object_name: Network Boundary Bridging capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Network Boundary Bridging through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1599.001 attack_object_name: Network Address Translation Traversal capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Network Address Translation Traversal through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against OS Credential Dumping through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1003.001 attack_object_name: LSASS Memory capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against LSASS Memory through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1003.002 attack_object_name: Security Account Manager capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Security Account Manager through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1003.003 attack_object_name: NTDS capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against NTDS through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1003.004 attack_object_name: LSA Secrets capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against LSA Secrets through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1003.005 attack_object_name: Cached Domain Credentials capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Cached Domain Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1003.006 attack_object_name: DCSync capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against DCSync through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1003.007 attack_object_name: Proc Filesystem capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Proc Filesystem through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1003.008 attack_object_name: /etc/passwd and /etc/shadow capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against /etc/passwd and /etc/shadow through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Remote Service Session Hijacking through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1563.001 attack_object_name: SSH Hijacking capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against SSH Hijacking through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against RDP Hijacking through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Remote Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Remote Desktop Protocol through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1021.002 attack_object_name: SMB/Windows Admin Shares capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against SMB/Windows Admin Shares through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1021.003 attack_object_name: Distributed Component Object Model capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Distributed Component Object Model through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1021.006 attack_object_name: Windows Remote Management capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Windows Remote Management through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Cloud Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Server Software Component through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Software Deployment Tools through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1558.001 attack_object_name: Golden Ticket capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Golden Ticket through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1558.002 attack_object_name: Silver Ticket capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Silver Ticket through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Kerberoasting through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1218 attack_object_name: System Binary Proxy Execution capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against System Binary Proxy Execution through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1569 attack_object_name: System Services capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against System Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Unsecured Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1552.002 attack_object_name: Credentials in Registry capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Credentials in Registry through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Container API through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Use Alternate Authentication Material through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Pass the Hash through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1550.003 attack_object_name: Pass the Ticket capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Pass the Ticket through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Valid Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1078.002 attack_object_name: Domain Accounts capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Domain Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Local Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Cloud Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Third-party access monitoring capability_group: DE.CM capability_id: DE.CM-06.02 comments: This diagnostic statement protects against Windows Management Instrumentation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. mapping_type: mitigates references: [] - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: Testing and validation strategy capability_group: PR.PS capability_id: PR.PS-06.05 comments: This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of. mapping_type: mitigates references: [] - attack_object_id: T1036.001 attack_object_name: Invalid Code Signature capability_description: Testing and validation strategy capability_group: PR.PS capability_id: PR.PS-06.05 comments: This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of. mapping_type: mitigates references: [] - attack_object_id: T1554 attack_object_name: Compromise Host Software Binary capability_description: Testing and validation strategy capability_group: PR.PS capability_id: PR.PS-06.05 comments: This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of. mapping_type: mitigates references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Testing and validation strategy capability_group: PR.PS capability_id: PR.PS-06.05 comments: This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of. mapping_type: mitigates references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Testing and validation strategy capability_group: PR.PS capability_id: PR.PS-06.05 comments: This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of. mapping_type: mitigates references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Testing and validation strategy capability_group: PR.PS capability_id: PR.PS-06.05 comments: This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Testing and validation strategy capability_group: PR.PS capability_id: PR.PS-06.05 comments: This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of. mapping_type: mitigates references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Testing and validation strategy capability_group: PR.PS capability_id: PR.PS-06.05 comments: This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Testing and validation strategy capability_group: PR.PS capability_id: PR.PS-06.05 comments: This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of. mapping_type: mitigates references: [] - attack_object_id: T1127 attack_object_name: Trusted Developer Utilities Proxy Execution capability_description: Testing and validation strategy capability_group: PR.PS capability_id: PR.PS-06.05 comments: This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of. mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing control limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally in the cloud environment. mapping_type: mitigates references: [] - attack_object_id: T1021.004 attack_object_name: SSH capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally. mapping_type: mitigates references: [] - attack_object_id: T1556.001 attack_object_name: Domain Controller Authentication capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Modify Authentication Process through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify credentials. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Modify Authentication Process through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify credentials. mapping_type: mitigates references: [] - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials. mapping_type: mitigates references: [] - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials. mapping_type: mitigates references: [] - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials. mapping_type: mitigates references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials. mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts. mapping_type: mitigates references: [] - attack_object_id: T1136.002 attack_object_name: Domain Account capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts. mapping_type: mitigates references: [] - attack_object_id: T1136.001 attack_object_name: Local Account capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.006 attack_object_name: Additional Container Cluster Roles capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.005 attack_object_name: Device Registration capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts. mapping_type: mitigates references: [] - attack_object_id: T1586.003 attack_object_name: Cloud Accounts capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Compromise Accounts through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts. mapping_type: mitigates references: [] - attack_object_id: T1087.001 attack_object_name: Local Account capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts. mapping_type: mitigates references: [] - attack_object_id: T1087.002 attack_object_name: Domain Account capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts. mapping_type: mitigates references: [] - attack_object_id: T1078.001 attack_object_name: Default Accounts capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Valid Accounts through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, provisioning accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to use default accounts. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts. mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Authentication of identity capability_group: PR.AA capability_id: PR.AA-02.01 comments: This diagnostic statement provides protection from Valid Accounts through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, provisioning accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to use existing accounts. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Access control within and across security perimeters capability_group: PR.AA capability_id: PR.AA-04.01 comments: This diagnostic statement provides protection from Abuse Elevation Control Mechanism through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts such as removing accounts from the Adminstrators group, access control mechanisms, and auditing the attribution logs provides some protection against adversaries attempting to abuse the elevation control mechanism. mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Access control within and across security perimeters capability_group: PR.AA capability_id: PR.AA-04.01 comments: This diagnostic statement provides protection from Data Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify data without being observed. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Access control within and across security perimeters capability_group: PR.AA capability_id: PR.AA-04.01 comments: This diagnostic statement provides protection from Data from Information Repositories through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to access sensitive data in information repositories. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Access control within and across security perimeters capability_group: PR.AA capability_id: PR.AA-04.01 comments: This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts. mapping_type: mitigates references: [] - attack_object_id: T1087.004 attack_object_name: Cloud Account capability_description: Access control within and across security perimeters capability_group: PR.AA capability_id: PR.AA-04.01 comments: This diagnostic statement provides protection from Cloud Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts. mapping_type: mitigates references: [] - attack_object_id: T1562.001 attack_object_name: Disable or Modify Tools capability_description: Hardware integrity checking capability_group: DE.CM capability_id: DE.CM-09.02 comments: This diagnostic statement provides protection from Disable or Modify Tools through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor. mapping_type: mitigates references: [] - attack_object_id: T1091 attack_object_name: Replication Through Removable Media capability_description: Hardware integrity checking capability_group: DE.CM capability_id: DE.CM-09.02 comments: This diagnostic statement provides protection from Replication Through Removable Media through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor. mapping_type: mitigates references: [] - attack_object_id: T1542 attack_object_name: Pre-OS Boot capability_description: Hardware integrity checking capability_group: DE.CM capability_id: DE.CM-09.02 comments: This diagnostic statement provides protection from Pre-OS Boot through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor. mapping_type: mitigates references: [] - attack_object_id: T1542.002 attack_object_name: Component Firmware capability_description: Hardware integrity checking capability_group: DE.CM capability_id: DE.CM-09.02 comments: This diagnostic statement provides protection from Component Firmware through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor. mapping_type: mitigates references: [] - attack_object_id: T1600.002 attack_object_name: Disable Crypto Hardware capability_description: Hardware integrity checking capability_group: DE.CM capability_id: DE.CM-09.02 comments: This diagnostic statement provides protection from Disable Crypto Hardware through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor. mapping_type: mitigates references: [] - attack_object_id: T1495 attack_object_name: Firmware Corruption capability_description: Hardware integrity checking capability_group: DE.CM capability_id: DE.CM-09.02 comments: This diagnostic statement provides protection from Firmware Corruption through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor. mapping_type: mitigates references: [] - attack_object_id: T1542.001 attack_object_name: System Firmware capability_description: Hardware integrity checking capability_group: DE.CM capability_id: DE.CM-09.02 comments: This diagnostic statement provides protection from System Firmware through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor. mapping_type: mitigates references: [] - attack_object_id: T1195.003 attack_object_name: Compromise Hardware Supply Chain capability_description: Hardware integrity checking capability_group: DE.CM capability_id: DE.CM-09.02 comments: This diagnostic statement provides protection from Compromise Hardware Supply Chain through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor. mapping_type: mitigates references: [] - attack_object_id: T1200 attack_object_name: Hardware Additions capability_description: Unauthorized device connection capability_group: DE.CM capability_id: DE.CM-01.04 comments: This diagnostic statement provides protection from hardware additions through the use of tools to detect and block the use of unauthorized or unknown devices and accessories by endpoint security configuration and monitoring. mapping_type: mitigates references: [] - attack_object_id: T1052 attack_object_name: Exfiltration Over Physical Medium capability_description: Unauthorized device connection capability_group: DE.CM capability_id: DE.CM-01.04 comments: This diagnostic statement provides protection from exfiltration of data via a physical medium, such as a removable drive by using tools to detect and block the use of unauthorized devices. mapping_type: mitigates references: [] - attack_object_id: T1052.001 attack_object_name: Exfiltration over USB capability_description: Unauthorized device connection capability_group: DE.CM capability_id: DE.CM-01.04 comments: This diagnostic statement provides protection from exfiltration of data via a physical medium, such as a removable drive by using tools to detect and block the use of unauthorized devices. mapping_type: mitigates references: [] - attack_object_id: T1102 attack_object_name: Web Service capability_description: Unauthorized network connections and data transfers capability_group: DE.CM capability_id: DE.CM-01.03 comments: This diagnostic statement provides protection from Web Service by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Unauthorized network connections and data transfers capability_group: DE.CM capability_id: DE.CM-01.03 comments: This diagnostic statement provides protection from Protocol Tunneling by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Unauthorized network connections and data transfers capability_group: DE.CM capability_id: DE.CM-01.03 comments: This diagnostic statement provides protection from Non-Standard Port by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1104 attack_object_name: Multi-Stage Channels capability_description: Unauthorized network connections and data transfers capability_group: DE.CM capability_id: DE.CM-01.03 comments: This diagnostic statement provides protection from Multi-Stage Channels by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1008 attack_object_name: Fallback Channels capability_description: Unauthorized network connections and data transfers capability_group: DE.CM capability_id: DE.CM-01.03 comments: This diagnostic statement provides protection from Fallback Channels by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Unauthorized network connections and data transfers capability_group: DE.CM capability_id: DE.CM-01.03 comments: This diagnostic statement provides protection from Exfiltration Over C2 Channel by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Unauthorized network connections and data transfers capability_group: DE.CM capability_id: DE.CM-01.03 comments: This diagnostic statement provides protection from Proxy by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1030 attack_object_name: Data Transfer Size Limits capability_description: Unauthorized network connections and data transfers capability_group: DE.CM capability_id: DE.CM-01.03 comments: This diagnostic statement provides protection from Data Transfer Size Limits by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Unauthorized network connections and data transfers capability_group: DE.CM capability_id: DE.CM-01.03 comments: This diagnostic statement provides protection from Non-Application Layer Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1599 attack_object_name: Network Boundary Bridging capability_description: Unauthorized network connections and data transfers capability_group: DE.CM capability_id: DE.CM-01.03 comments: This diagnostic statement provides protection from Network Boundary Bridging by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Unauthorized network connections and data transfers capability_group: DE.CM capability_id: DE.CM-01.03 comments: This diagnostic statement provides protection from Exfiltration Over Unencrypted Non-C2 Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Unauthorized network connections and data transfers capability_group: DE.CM capability_id: DE.CM-01.03 comments: This diagnostic statement provides protection from Exfiltration Over Asymmetric Encrypted Non-C2 Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1048.001 attack_object_name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol capability_description: Unauthorized network connections and data transfers capability_group: DE.CM capability_id: DE.CM-01.03 comments: This diagnostic statement provides protection from Exfiltration Over Symmetric Encrypted Non-C2 Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Unauthorized network connections and data transfers capability_group: DE.CM capability_id: DE.CM-01.03 comments: This diagnostic statement provides protection from Exfiltration Over Alternative Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Data-in-transit protection capability_group: PR.DS capability_id: PR.DS-02.01 comments: This diagnostic statement protects adversaries from being able to access data in transit over networks. Encrypting information and files by utilizing authentication protocols, such as Kerberos, can ensure web traffic that may contain credentials is protected by SSL/TLS. mapping_type: mitigates references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Data-in-transit protection capability_group: PR.DS capability_id: PR.DS-02.01 comments: This diagnostic statement provides another layer of protection from adversaries trying to gain access to data that is en route to storage or other systems. mapping_type: mitigates references: [] - attack_object_id: T1550.003 attack_object_name: Pass the Ticket capability_description: Data-in-transit protection capability_group: PR.DS capability_id: PR.DS-02.01 comments: This diagnostic statement provide protection from adversaries that may possibly use stolen Kerberos tickets. Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization. mapping_type: mitigates references: [] - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Data-in-transit protection capability_group: PR.DS capability_id: PR.DS-02.01 comments: This diagnostic statement provide protection from adversaries that may possibly utilize stolen password hashes. Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization. mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Data-in-transit protection capability_group: PR.DS capability_id: PR.DS-02.01 comments: This diagnostic statement provide protection from adversaries that may possibly bypass the authentication process and use stolen tokens. Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization. mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Data-in-transit protection capability_group: PR.DS capability_id: PR.DS-02.01 comments: This diagnostic statement provide protection from adversaries that may possibly attack via alternate authentication methods. Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization. mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Data-at-rest protection capability_group: PR.DS capability_id: PR.DS-01.01 comments: This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring. mapping_type: mitigates references: [] - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Data-at-rest protection capability_group: PR.DS capability_id: PR.DS-01.01 comments: This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring. mapping_type: mitigates references: [] - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Data-at-rest protection capability_group: PR.DS capability_id: PR.DS-01.01 comments: This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring. mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Data-at-rest protection capability_group: PR.DS capability_id: PR.DS-01.01 comments: This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring. mapping_type: mitigates references: [] - attack_object_id: T1003.003 attack_object_name: NTDS capability_description: Data-at-rest protection capability_group: PR.DS capability_id: PR.DS-01.01 comments: This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Data-at-rest protection capability_group: PR.DS capability_id: PR.DS-01.01 comments: This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring. mapping_type: mitigates references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Data-at-rest protection capability_group: PR.DS capability_id: PR.DS-01.01 comments: This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring. mapping_type: mitigates references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Data-at-rest protection capability_group: PR.DS capability_id: PR.DS-01.01 comments: This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Data-at-rest protection capability_group: PR.DS capability_id: PR.DS-01.01 comments: This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Data-at-rest protection capability_group: PR.DS capability_id: PR.DS-01.01 comments: This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring. mapping_type: mitigates references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Data-at-rest protection capability_group: PR.DS capability_id: PR.DS-01.01 comments: This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Data-at-rest protection capability_group: PR.DS capability_id: PR.DS-01.01 comments: This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring. mapping_type: mitigates references: [] - attack_object_id: T1030 attack_object_name: Data Transfer Size Limits capability_description: Removable media protection capability_group: PR.DS capability_id: PR.DS-01.03 comments: This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity. mapping_type: mitigates references: [] - attack_object_id: T1200 attack_object_name: Hardware Additions capability_description: Removable media protection capability_group: PR.DS capability_id: PR.DS-01.03 comments: This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity. mapping_type: mitigates references: [] - attack_object_id: T1092 attack_object_name: Communication Through Removable Media capability_description: Removable media protection capability_group: PR.DS capability_id: PR.DS-01.03 comments: This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity. mapping_type: mitigates references: [] - attack_object_id: T1025 attack_object_name: Data from Removable Media capability_description: Removable media protection capability_group: PR.DS capability_id: PR.DS-01.03 comments: This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Data loss prevention capability_group: PR.DS capability_id: PR.DS-01.02 comments: The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services. mapping_type: mitigates references: [] - attack_object_id: T1567.004 attack_object_name: Exfiltration Over Webhook capability_description: Data loss prevention capability_group: PR.DS capability_id: PR.DS-01.02 comments: The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services. mapping_type: mitigates references: [] - attack_object_id: T1052.001 attack_object_name: Exfiltration over USB capability_description: Data loss prevention capability_group: PR.DS capability_id: PR.DS-01.02 comments: The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services. mapping_type: mitigates references: [] - attack_object_id: T1052 attack_object_name: Exfiltration Over Physical Medium capability_description: Data loss prevention capability_group: PR.DS capability_id: PR.DS-01.02 comments: The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services. mapping_type: mitigates references: [] - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Data loss prevention capability_group: PR.DS capability_id: PR.DS-01.02 comments: The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services. mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Data loss prevention capability_group: PR.DS capability_id: PR.DS-01.02 comments: The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services. mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Data loss prevention capability_group: PR.DS capability_id: PR.DS-01.02 comments: The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Data loss prevention capability_group: PR.DS capability_id: PR.DS-01.02 comments: The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services. mapping_type: mitigates references: [] - attack_object_id: T1025 attack_object_name: Data from Removable Media capability_description: Data loss prevention capability_group: PR.DS capability_id: PR.DS-01.02 comments: The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services. mapping_type: mitigates references: [] - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Data loss prevention capability_group: PR.DS capability_id: PR.DS-01.02 comments: The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services. mapping_type: mitigates references: [] - attack_object_id: T1020.001 attack_object_name: Traffic Duplication capability_description: Data loss prevention capability_group: PR.DS capability_id: PR.DS-01.02 comments: The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services. mapping_type: mitigates references: [] - attack_object_id: T1114.003 attack_object_name: Email Forwarding Rule capability_description: Email verification mechanisms capability_group: PR.AA capability_id: PR.AA-03.03 comments: This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as encryption is recommended to minimize the risk of adversaries collecting user's credentials via email forwarding rules to collect credentials and other sensitive information. mapping_type: mitigates references: [] - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Email verification mechanisms capability_group: PR.AA capability_id: PR.AA-03.03 comments: This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as encryption and MFA are recommended to minimize the risk of adversaries collecting user's credentials via exchange servers from within a network. mapping_type: mitigates references: [] - attack_object_id: T1114.001 attack_object_name: Local Email Collection capability_description: Email verification mechanisms capability_group: PR.AA capability_id: PR.AA-03.03 comments: This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as encryption and using public cryptic keys are recommended to minimize the risk of adversaries collecting information from files saved on email servers and caches. mapping_type: mitigates references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Email verification mechanisms capability_group: PR.AA capability_id: PR.AA-03.03 comments: This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as MFA is recommended to minimize the risk of adversaries collecting usernames and passwords. mapping_type: mitigates references: [] - attack_object_id: T1598 attack_object_name: Phishing for Information capability_description: Email verification mechanisms capability_group: PR.AA capability_id: PR.AA-03.03 comments: This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send phishing messages through the form of emails, instant messages, etc. to gain sensitive information. mapping_type: mitigates references: [] - attack_object_id: T1598.002 attack_object_name: Spearphishing Attachment capability_description: Email verification mechanisms capability_group: PR.AA capability_id: PR.AA-03.03 comments: This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious attachment to gain elicit sensitive information. mapping_type: mitigates references: [] - attack_object_id: T1598.003 attack_object_name: Spearphishing Link capability_description: Email verification mechanisms capability_group: PR.AA capability_id: PR.AA-03.03 comments: 'This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious link to gain elicit sensitive information. ' mapping_type: mitigates references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Email verification mechanisms capability_group: PR.AA capability_id: PR.AA-03.03 comments: 'This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious link. ' mapping_type: mitigates references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Email verification mechanisms capability_group: PR.AA capability_id: PR.AA-03.03 comments: 'This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious attachment. ' mapping_type: mitigates references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Email verification mechanisms capability_group: PR.AA capability_id: PR.AA-03.03 comments: This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Vulnerability management capability_group: ID.RA capability_id: ID.RA-01.03 comments: This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Vulnerability management capability_group: ID.RA capability_id: ID.RA-01.03 comments: This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1495 attack_object_name: Firmware Corruption capability_description: Vulnerability management capability_group: ID.RA capability_id: ID.RA-01.03 comments: This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Vulnerability management capability_group: ID.RA capability_id: ID.RA-01.03 comments: This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Vulnerability management capability_group: ID.RA capability_id: ID.RA-01.03 comments: This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Vulnerability management capability_group: ID.RA capability_id: ID.RA-01.03 comments: This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Vulnerability management capability_group: ID.RA capability_id: ID.RA-01.03 comments: This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. Scanning and addressing vulnerabilities in software dependencies can help reduce the attack surface for the organization and protect against adversaries looking for ways to access its systems. mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: Vulnerability management capability_group: ID.RA capability_id: ID.RA-01.03 comments: This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. Scanning and addressing vulnerabilities in software dependencies can help reduce the attack surface for the organization and protect against adversaries looking for ways to access its systems. mapping_type: mitigates references: [] - attack_object_id: T1195.002 attack_object_name: Compromise Software Supply Chain capability_description: Vulnerability management capability_group: ID.RA capability_id: ID.RA-01.03 comments: This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. Scanning and addressing vulnerabilities in software dependencies and development tools can help reduce the attack surface for the organization and protect against adversaries looking for ways to access its systems. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Vulnerability management capability_group: ID.RA capability_id: ID.RA-01.03 comments: This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Vulnerability management capability_group: ID.RA capability_id: ID.RA-01.03 comments: This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Unauthorized software, hardware, or configuration changes capability_group: DE.CM capability_id: DE.CM-09.03 comments: This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates. mapping_type: mitigates references: [] - attack_object_id: T1601 attack_object_name: Modify System Image capability_description: Unauthorized software, hardware, or configuration changes capability_group: DE.CM capability_id: DE.CM-09.03 comments: This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Unauthorized software, hardware, or configuration changes capability_group: DE.CM capability_id: DE.CM-09.03 comments: This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates. mapping_type: mitigates references: [] - attack_object_id: T1542.002 attack_object_name: Component Firmware capability_description: Unauthorized software, hardware, or configuration changes capability_group: DE.CM capability_id: DE.CM-09.03 comments: This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates. mapping_type: mitigates references: [] - attack_object_id: T1542.001 attack_object_name: System Firmware capability_description: Unauthorized software, hardware, or configuration changes capability_group: DE.CM capability_id: DE.CM-09.03 comments: This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates. mapping_type: mitigates references: [] - attack_object_id: T1495 attack_object_name: Firmware Corruption capability_description: Unauthorized software, hardware, or configuration changes capability_group: DE.CM capability_id: DE.CM-09.03 comments: This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Unauthorized software, hardware, or configuration changes capability_group: DE.CM capability_id: DE.CM-09.03 comments: This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates. mapping_type: mitigates references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files. mapping_type: mitigates references: [] - attack_object_id: T1566.003 attack_object_name: Spearphishing via Service capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files and links, protecting against harmful files, websites, and downloads. mapping_type: mitigates references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files and links, protecting against harmful files, websites, and downloads. mapping_type: mitigates references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files and links, protecting against harmful files, websites, and downloads. mapping_type: mitigates references: [] - attack_object_id: T1027.014 attack_object_name: Polymorphic Code capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding or obfuscating. mapping_type: mitigates references: [] - attack_object_id: T1027.013 attack_object_name: Encrypted/Encoded File capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding or obfuscating. mapping_type: mitigates references: [] - attack_object_id: T1027.010 attack_object_name: Command Obfuscation capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine suspicious Windows 10+ commands that adversaries have made difficult to discover by encrypting, encoding or obfuscating. mapping_type: mitigates references: [] - attack_object_id: T1027.009 attack_object_name: Embedded Payloads capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding, or obfuscating. mapping_type: mitigates references: [] - attack_object_id: T1027.002 attack_object_name: Software Packing capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Heuristic-based malware detection and signatures for observed malware can be used to identify known software packers or artifacts of packing techniques that conceal malicious content. mapping_type: mitigates references: [] - attack_object_id: T1547.006 attack_object_name: Kernel Modules and Extensions capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software should be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding or obfuscating its contents on the system. mapping_type: mitigates references: [] - attack_object_id: T1036.008 attack_object_name: Masquerade File Type capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have manipulated to appear legitimate or benign. mapping_type: mitigates references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have manipulated to appear legitimate or benign. mapping_type: mitigates references: [] - attack_object_id: T1059.006 attack_object_name: Python capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts. mapping_type: mitigates references: [] - attack_object_id: T1059.005 attack_object_name: Visual Basic capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts. mapping_type: mitigates references: [] - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Malware prevention capability_group: PR.PS capability_id: PR.PS-05.01 comments: Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts. mapping_type: mitigates references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Data backup and replication capability_group: PR.DS capability_id: PR.DS-11.01 comments: This diagnostic statement provides protection from adversaries that try to manipulate and/or modify data at rest, which harms the integrity of data. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups. mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Data backup and replication capability_group: PR.DS capability_id: PR.DS-11.01 comments: This diagnostic statement provides protection from adversaries that try to manipulate, modify and/or harm the integrity of data. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups. mapping_type: mitigates references: [] - attack_object_id: T1561.002 attack_object_name: Disk Structure Wipe capability_description: Data backup and replication capability_group: PR.DS capability_id: PR.DS-11.01 comments: This diagnostic statement protects adversaries that can wipe/corrupt disk data structures on a hard drive. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite while targeting critical systems mapping_type: mitigates references: [] - attack_object_id: T1561.001 attack_object_name: Disk Content Wipe capability_description: Data backup and replication capability_group: PR.DS capability_id: PR.DS-11.01 comments: This diagnostic statement protects adversaries that can wipe/corrupt contents of storage device data. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite. mapping_type: mitigates references: [] - attack_object_id: T1561 attack_object_name: Disk Wipe capability_description: Data backup and replication capability_group: PR.DS capability_id: PR.DS-11.01 comments: This diagnostic statement protects adversaries that can wipe/corrupt raw disk data on systems. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite. mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Data backup and replication capability_group: PR.DS capability_id: PR.DS-11.01 comments: This diagnostic statement provides protection from adversaries that try to remove built in data and/or turn off services that are used to help with the recovery of corrupted systems. Ensuring backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery is a way to deny adversaries access to available backup and recovery options mapping_type: mitigates references: [] - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Data backup and replication capability_group: PR.DS capability_id: PR.DS-11.01 comments: This diagnostic statement provides protection from adversaries that may encrypt data on target systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. Implementing data backup or disaster recovery plan can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. mapping_type: mitigates references: [] - attack_object_id: T1485.001 attack_object_name: Lifecycle-Triggered Deletion capability_description: Data backup and replication capability_group: PR.DS capability_id: PR.DS-11.01 comments: This diagnostic statement provides protection from adversaries that may modify lifecycle policies of cloud storage bucket to destroy all objects stored within. Implementing data backup or disaster recovery plan can be used to restore organizational data. mapping_type: mitigates references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Data backup and replication capability_group: PR.DS capability_id: PR.DS-11.01 comments: This diagnostic statement provides protection from adversaries that may try to destroy data and files on systems or on a network/network resource. Implementing data backup or disaster recovery plan can be used to restore organizational data. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1052 attack_object_name: Exfiltration Over Physical Medium capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1052.001 attack_object_name: Exfiltration over USB capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1025 attack_object_name: Data from Removable Media capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1020 attack_object_name: Automated Exfiltration capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Data-in-use protection capability_group: PR.DS capability_id: PR.DS-10.01 comments: This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats. mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. mapping_type: mitigates references: [] - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. mapping_type: mitigates references: [] - attack_object_id: T1578 attack_object_name: Modify Cloud Compute Infrastructure capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. mapping_type: mitigates references: [] - attack_object_id: T1562.012 attack_object_name: Disable or Modify Linux Audit System capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. mapping_type: mitigates references: [] - attack_object_id: T1610 attack_object_name: Deploy Container capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. mapping_type: mitigates references: [] - attack_object_id: T1613 attack_object_name: Container and Resource Discovery capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. mapping_type: mitigates references: [] - attack_object_id: T1609 attack_object_name: Container Administration Command capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. mapping_type: mitigates references: [] - attack_object_id: T1580 attack_object_name: Cloud Infrastructure Discovery capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. mapping_type: mitigates references: [] - attack_object_id: T1547.009 attack_object_name: Shortcut Modification capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. mapping_type: mitigates references: [] - attack_object_id: T1087.004 attack_object_name: Cloud Account capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. mapping_type: mitigates references: [] - attack_object_id: T1134.003 attack_object_name: Make and Impersonate Token capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. mapping_type: mitigates references: [] - attack_object_id: T1134.002 attack_object_name: Create Process with Token capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. mapping_type: mitigates references: [] - attack_object_id: T1134.001 attack_object_name: Token Impersonation/Theft capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques mapping_type: mitigates references: [] - attack_object_id: T1134 attack_object_name: Access Token Manipulation capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. mapping_type: mitigates references: [] - attack_object_id: T1574.012 attack_object_name: COR_PROFILER capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys associated with COR_PROFILER. mapping_type: mitigates references: [] - attack_object_id: T1574.011 attack_object_name: Services Registry Permissions Weakness capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence. mapping_type: mitigates references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence. mapping_type: mitigates references: [] - attack_object_id: T1037.001 attack_object_name: Logon Script (Windows) capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence. mapping_type: mitigates references: [] - attack_object_id: T1037 attack_object_name: Boot or Logon Initialization Scripts capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence. mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. mapping_type: mitigates references: [] - attack_object_id: T1601 attack_object_name: Modify System Image capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege mapping_type: mitigates references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege mapping_type: mitigates references: [] - attack_object_id: T1562.009 attack_object_name: Safe Mode Boot capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode. mapping_type: mitigates references: [] - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Use the principal of least privilege and protect administrative access to domain trusts and identity tenants. mapping_type: mitigates references: [] - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limiting access to file shares, remote access to systems, unnecessary services. mapping_type: mitigates references: [] - attack_object_id: T1200 attack_object_name: Hardware Additions capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Establish network access control policies, such as using device certificates and the 802.1x standard. Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems. mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Access privilege limitation capability_group: PR.AA capability_id: PR.AA-05.01 comments: This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper Registry permissions are in place to prevent unnecessary users and adversaries from disabling or interfering with security/logging services. mapping_type: mitigates references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: This diagnostic statement protects adversaries from using tunneling to encapsulate a protocol within another protocol. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1090.002 attack_object_name: External Proxy capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: This diagnostic statement protects adversaries from infiltrating external proxies and taking over control of traffic between systems. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1090.001 attack_object_name: Internal Proxy capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: This diagnostic statement protects adversaries from infiltrating internal proxies and taking over control of traffic between systems. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: This diagnostic statement protects adversaries from redirecting network traffic between systems by infiltrating connection proxies. Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. mapping_type: mitigates references: [] - attack_object_id: T1102.003 attack_object_name: One-Way Communication capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware that can be used to mitigate malicious activity and identify adversaries that use web services to obfuscate domains or IP addresses over web service channel. mapping_type: mitigates references: [] - attack_object_id: T1102.002 attack_object_name: Bidirectional Communication capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware that can be used to mitigate malicious activity and identify adversaries that use web services to obfuscate domains or IP addresses over web service channel. mapping_type: mitigates references: [] - attack_object_id: T1102.001 attack_object_name: Dead Drop Resolver capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware that can be used to mitigate malicious activity and identify adversaries that use web services to obfuscate domains or IP addresses. mapping_type: mitigates references: [] - attack_object_id: T1102 attack_object_name: Web Service capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate malicious activity and identify adversaries that can relay data from a compromised systems through websites, cloud service, or social media. mapping_type: mitigates references: [] - attack_object_id: T1204.003 attack_object_name: Malicious Image capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: In order to protect users from being victims of social engineering attacks, network intrusion prevention techniques can be used to scan and block malicious images so those images can't lead to malicious code being executed. mapping_type: mitigates references: [] - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: In order to protect users from being victims of social engineering attacks, network intrusion prevention techniques can be used to scan and block malicious downloads and malicious activity. mapping_type: mitigates references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: In order to protect users from being victims of social engineering attacks, network intrusion prevention techniques can be used to scan and block malicious code from malicious downloads and malicious activity. mapping_type: mitigates references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: This diagnostic statement utilizes the tools such as network intrusion prevent systems to identify, scan and block malicious email attachments that can be clicked on by users in their emails. Also, anti-virus can be used to quarantine suspicious files. mapping_type: mitigates references: [] - attack_object_id: T1221 attack_object_name: Template Injection capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads that adversaries can steal in document templates. mapping_type: mitigates references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: This diagnostic statement utilizes the tools such as network intrusion prevent systems to identify, scan and block malicious email or links that can be clicked on by users in their emails. Also, anti-virus can be used to quarantine suspicious files. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some activity at the network level, specifically adversaries known to steal data and/or encrypt or obfuscate alternate channels. mapping_type: mitigates references: [] - attack_object_id: T1573.002 attack_object_name: Asymmetric Cryptography capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some activity at the network level, specifically adversaries known to conceal C2 traffic with asymmetric encryption algorithms. mapping_type: mitigates references: [] - attack_object_id: T1573.001 attack_object_name: Symmetric Cryptography capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some activity at the network level, specifically adversaries known to conceal C2 traffic with symmetric encryption algorithms. mapping_type: mitigates references: [] - attack_object_id: T1573 attack_object_name: Encrypted Channel capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation (command and control traffic) activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1568.002 attack_object_name: Domain Generation Algorithms capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: "Network intrusion detection and prevention systems that use network signatures\ \ to identify traffic for specific adversary malware can be used to mitigate some\ \ obfuscation (command and control) activity at the network level.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1568 attack_object_name: Dynamic Resolution capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: "Network intrusion detection and prevention systems that use network signatures\ \ to identify traffic for specific adversary malware can be used to mitigate some\ \ obfuscation (command and control) activity at the network level.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1030 attack_object_name: Data Transfer Size Limits capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: "Network intrusion detection and prevention systems that use network signatures\ \ to identify traffic for specific adversary malware can be used to mitigate some\ \ obfuscation activity at the network level.\r\n" mapping_type: mitigates references: [] - attack_object_id: T1001.003 attack_object_name: Protocol or Service Impersonation capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: "Network intrusion detection and prevention systems that use network signatures\ \ to identify traffic for specific adversary malware can be used to mitigate some\ \ obfuscation activity at the network level.\r\n\r\n\r\n" mapping_type: mitigates references: [] - attack_object_id: T1001.002 attack_object_name: Steganography capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: "Network intrusion detection and prevention systems that use network signatures\ \ to identify traffic for specific adversary malware can be used to mitigate some\ \ obfuscation activity at the network level.\r\n\r\n" mapping_type: mitigates references: [] - attack_object_id: T1001.001 attack_object_name: Junk Data capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: "Network intrusion detection and prevention systems that use network signatures\ \ to identify traffic for specific adversary malware can be used to mitigate some\ \ obfuscation activity at the network level.\r\n\r\n" mapping_type: mitigates references: [] - attack_object_id: T1001 attack_object_name: Data Obfuscation capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: "Network intrusion detection and prevention systems that use network signatures\ \ to identify traffic for specific adversary malware can be used to mitigate some\ \ obfuscation command and control activity at the network level.\r\n\r\n" mapping_type: mitigates references: [] - attack_object_id: T1132.002 attack_object_name: Non-Standard Encoding capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1132.001 attack_object_name: Standard Encoding capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1132 attack_object_name: Data Encoding capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1071.005 attack_object_name: Publish/Subscribe Protocols capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: This diagnostic statement protects against adversaries that may try to utilize different protocols to abuse packets produced from these protocols. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1071.004 attack_object_name: DNS capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: This diagnostic statement protects against adversaries that may try to utilize DNS protocol to abuse packets produced from these protocols. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1071.003 attack_object_name: Mail Protocols capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: This diagnostic statement protects against adversaries that may try to utilize different protocols, such as SMPT/S, POP3/S and IMAP, to abuse packets produced from these protocols. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1071.002 attack_object_name: File Transfer Protocols capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: This diagnostic statement protects against adversaries that may try to utilize different protocols, such as SMB, FTP, FTPS, and TFPT, to abuse packets produced from these protocols. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: This diagnostic statement protects against adversaries that may try to utilize different protocols, such as HTTPS and web socket, to blend in with existing traffic. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: This diagnostic statement protects against adversaries that may try to utilize different protocols, such as web browsing, transferring files, email, from attacking at the OSI level. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. mapping_type: mitigates references: [] - attack_object_id: T1557.004 attack_object_name: Evil Twin capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: 'Implementing methods similar to Wireless Intrusion prevention systems (WIPS) can identify and prevent adversary in the middle activity ' mapping_type: mitigates references: [] - attack_object_id: T1557.003 attack_object_name: DHCP Spoofing capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: The use of network intrusion detection and prevention systems can identify and possibly bock traffic patterns, indicative of AiTM activity. If so, these patterns can be mitigated at the network level. mapping_type: mitigates references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: 'The use of network intrusion detection and prevention systems can identify and possibly bock traffic patterns, indicative of AiTM activity. If so, these patterns can be mitigated at the network level, enabling to block adversaries from poisoning ARP caches. ' mapping_type: mitigates references: [] - attack_object_id: T1557.001 attack_object_name: LLMNR/NBT-NS Poisoning and SMB Relay capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: The use of network intrusion detection and prevention systems can identify and possibly bock traffic patterns, indicative of AiTM activity. If so, these patterns can be mitigated at the network level. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: The use of network intrusion detection and prevention systems can identify and possibly bock traffic patterns, indicative of AiTM activity. If so, these patterns can be mitigated at the network level. mapping_type: mitigates references: [] - attack_object_id: T1036.008 attack_object_name: Masquerade File Type capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: Implementing methods similar to Host Intrusion prevention (HIPS) can identify and prevent execution of malicious files and its metadata manipulated by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Intrusion detection and prevention capability_group: DE.CM capability_id: DE.CM-01.01 comments: Implementing methods similar to Host Intrusion prevention (HIPS) can identify and prevent execution of malicious files and its metadata manipulated by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1498.002 attack_object_name: Reflection Amplification capability_description: Network traffic volume monitoring capability_group: DE.CM capability_id: DE.CM-01.02 comments: This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that induces a reflection attack by sending packets to reflectors with the spoofed address of the victim. Filtering boundary traffic can be used to intercept incoming traffic and filtering out the attack traffic from the original traffic. mapping_type: mitigates references: [] - attack_object_id: T1498.001 attack_object_name: Direct Network Flood capability_description: Network traffic volume monitoring capability_group: DE.CM capability_id: DE.CM-01.02 comments: This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that target networks that send a high volume of network traffic to a target. Filtering boundary traffic can be used to intercept incoming traffic and filtering out the attack traffic from the original traffic. mapping_type: mitigates references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Network traffic volume monitoring capability_group: DE.CM capability_id: DE.CM-01.02 comments: This diagnostic statement may block Network Denial of Service (DoS) attacks from occurring by adversaries that target resources to users via websites, email services, DNS, and web-based applications. Filtering boundary traffic can be used to intercept incoming traffic and filtering out the attack traffic from the original traffic. mapping_type: mitigates references: [] - attack_object_id: T1499.004 attack_object_name: Application or System Exploitation capability_description: Network traffic volume monitoring capability_group: DE.CM capability_id: DE.CM-01.02 comments: This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that exploit software vulnerabilities that can cause crashing of a system or application. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport. mapping_type: mitigates references: [] - attack_object_id: T1499.003 attack_object_name: Application Exhaustion Flood capability_description: Network traffic volume monitoring capability_group: DE.CM capability_id: DE.CM-01.02 comments: This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that target application features. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport. mapping_type: mitigates references: [] - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: Network traffic volume monitoring capability_group: DE.CM capability_id: DE.CM-01.02 comments: This diagnostic statement may block Endpoint Denial of Service (DoS) attacks from occurring from adversaries that target DNS and web services. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport. mapping_type: mitigates references: [] - attack_object_id: T1499.001 attack_object_name: OS Exhaustion Flood capability_description: Network traffic volume monitoring capability_group: DE.CM capability_id: DE.CM-01.02 comments: This diagnostic statement may block Endpoint Denial of Service (DoS) attacks from occurring by adversaries that target endpoint's operating system (OS). Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport. mapping_type: mitigates references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Network traffic volume monitoring capability_group: DE.CM capability_id: DE.CM-01.02 comments: 'This diagnostic statement may block Endpoint Denial of Service (DoS) attacks from occurring via websites, email services, and web-based applications. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport. ' mapping_type: mitigates references: [] - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. An example of this for Pass the Hash is to update software by applying patch KB2871997 to Windows 7 and higher systems, limiting the default access of accounts in the local administrator group. mapping_type: mitigates references: [] - attack_object_id: T1552.006 attack_object_name: Group Policy Preferences capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. An example of this for Group Policy Preferences (GPPs) is to update software by applying patch KB2962486 which prevents credentials from being stored in group policy preferences. mapping_type: mitigates references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Regularly updating web browsers, password managers, and related software to the latest versions reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or steal web session cookies. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching software deployment tools and systems regularly helps prevent potential remote access through Exploitation for Privilege Escalation. mapping_type: mitigates references: [] - attack_object_id: T1542.001 attack_object_name: System Firmware capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching the BIOS and EFI as necessary helps to prevent adversaries from modifying system firmware. mapping_type: mitigates references: [] - attack_object_id: T1542 attack_object_name: Pre-OS Boot capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching the BIOS and EFI as necessary helps prevent adversaries from abusing Pre-OS Boot mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1137.005 attack_object_name: Outlook Rules capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. An example of this is installing patches Microsoft has released to help to address abuse of Microsoft Outlook rules. mapping_type: mitigates references: [] - attack_object_id: T1137.004 attack_object_name: Outlook Home Page capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, exploitation via Outlook Home Page can be prevented by applying Microsoft KB4011162 to systems, which removes the legacy Home Page feature. mapping_type: mitigates references: [] - attack_object_id: T1137.003 attack_object_name: Outlook Forms capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, exploitation via Outlook Forms can be mitigated by applying Microsoft KB4011091 which disables custom forms by default. mapping_type: mitigates references: [] - attack_object_id: T1137 attack_object_name: Office Application Startup capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: 'This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, Microsoft has released several patches to help address leveraging of Microsoft Office-based applications for persistence between startups. ' mapping_type: mitigates references: [] - attack_object_id: T1574.002 attack_object_name: DLL Side-Loading capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, applying patches that fix DLL side-loading vulnerabilities mitigates the execution of malicious payloads by side-loading DLLs. mapping_type: mitigates references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly to include patches that fix DLL side-loading vulnerabilities can help mitigate execution of malicious payloads by hijacking execution flow. mapping_type: mitigates references: [] - attack_object_id: T1495 attack_object_name: Firmware Corruption capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, patching the BIOS and other firmware can help prevent adversaries from overwriting or corrupting firmware. mapping_type: mitigates references: [] - attack_object_id: T1546.011 attack_object_name: Application Shimming capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, to prevent use of application shimming to bypass UAC, Microsoft released patch KB3045645 that will remove the "auto-elevate" flag within the sdbinst.exe. mapping_type: mitigates references: [] - attack_object_id: T1546.010 attack_object_name: AppInit DLLs capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, upgrading to Windows 8 or later and enabling secure boot can help prevent execution of malicious content via AppInit DLLs. mapping_type: mitigates references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, performing regular software updates can mitigate potential event triggered execution exploitation risks. mapping_type: mitigates references: [] - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, ensure all browsers and plugins are kept updated to help prevent the exploit phase of Drive-by Compromise. mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated and migrating to SNMPv3 can help prevent adversary access of network configuration files. mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated and migrating to SNMPv3 can help prevent adversaries from collecting MIB content directly from SNMP-managed devices. mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated can help prevent adversaries from collecting data related to managed devices from configuration repositories. mapping_type: mitigates references: [] - attack_object_id: T1555.005 attack_object_name: Password Managers capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, regularly updating web browsers, password managers, and related software reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. mapping_type: mitigates references: [] - attack_object_id: T1555.003 attack_object_name: Credentials from Web Browsers capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, regularly updating web browsers, password managers, and related software reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. mapping_type: mitigates references: [] - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, performing regular software updates mitigates adversary exploitation of password storage locations to obtain user credentials. mapping_type: mitigates references: [] - attack_object_id: T1176 attack_object_name: Browser Extensions capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, ensuring operating systems and browsers are using the most current version helps prevent adversaries from abusing Internet browser extensions or plugins. mapping_type: mitigates references: [] - attack_object_id: T1548.002 attack_object_name: Bypass User Account Control capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating Windows to the latest version and patch level provides the latest protective measures against UAC bypass. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, performing regular software updates is recommended to help mitigate exploitation risk via abuse of elevation control mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1195.002 attack_object_name: Compromise Software Supply Chain capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can mitigate exploitation of remote services. mapping_type: mitigates references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of a system or application vulnerability to bypass security features. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of a weakness in an Internet-facing host or system to initially access a network. mapping_type: mitigates references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of software vulnerabilities to elevate privileges. mapping_type: mitigates references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Patch identification and application capability_group: PR.PS capability_id: PR.PS-02.01 comments: This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of software vulnerabilities to collect credentials. mapping_type: mitigates references: [] - attack_object_id: T1098.004 attack_object_name: SSH Authorized Keys capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the SSH Authorized Keys technique, restricting user and application access to the authorized_keys file can be a mitigating factor for adversaries attempting to modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the Unsecured Credentials technique, best practice dictates that when possible, store keys on separate cryptographic hardware instead of on the local system to mitigate data theft of credentials stored in unsecure locations. mapping_type: mitigates references: [] - attack_object_id: T1563.001 attack_object_name: SSH Hijacking capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the SSH Hijacking technique, consider that SSH key pairs possess strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected. mapping_type: mitigates references: [] - attack_object_id: T1552.004 attack_object_name: Private Keys capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standard as it applies to the Private Keys technique, when possible, consider storing keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material. mapping_type: mitigates references: [] - attack_object_id: T1558.004 attack_object_name: AS-REP Roasting capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets through AS-REP Roasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. mapping_type: mitigates references: [] - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with kerberoasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. mapping_type: mitigates references: [] - attack_object_id: T1558.002 attack_object_name: Silver Ticket capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with silver tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. mapping_type: mitigates references: [] - attack_object_id: T1649 attack_object_name: Steal or Forge Authentication Certificates capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of authentication certificates, ensure certificates as well as associated private keys are appropriately secured. mapping_type: mitigates references: [] - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of network sniffing, ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. mapping_type: mitigates references: [] - attack_object_id: T1070.002 attack_object_name: Clear Linux or Mac System Logs capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the removal of Linux or Mac System Logs, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. mapping_type: mitigates references: [] - attack_object_id: T1070.001 attack_object_name: Clear Windows Event Logs capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to windows event logs removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. mapping_type: mitigates references: [] - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to indicator removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. mapping_type: mitigates references: [] - attack_object_id: T1114.001 attack_object_name: Local Email Collection capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services. mapping_type: mitigates references: [] - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services. mapping_type: mitigates references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. mapping_type: mitigates references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to transmitted data manipulation, encrypt all important data flows to reduce the impact of tailored modifications on data in transit. mapping_type: mitigates references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: "This diagnostic statement is associated with employing encryption methods\ \ to mitigate unauthorized access or theft of data that protect the confidentiality\ \ and integrity of data-at-rest, data-in-use, and data-in-transit. To address\ \ threats to stored data manipulation, consider encrypting important information\ \ to reduce an adversary\u2019s ability to perform tailored data modifications." mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: "This diagnostic statement is associated with employing encryption methods\ \ to mitigate unauthorized access or theft of data that protect the confidentiality\ \ and integrity of data-at-rest, data-in-use, and data-in-transit. To address\ \ threats to data manipulation, consider encrypting important information to reduce\ \ an adversary\u2019s ability to perform tailored data modifications." mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to data from information repositories, encrypt data stored at rest in databases. mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of Network Device Configuration Dump, configure SNMPv3 to use the highest level of security (authPriv) available. mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of SNMP (MIB Dump), configure SNMPv3 to use the highest level of security (authPriv) available. mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of data collection from configuration repository, configure SNMPv3 to use the highest level of security (authPriv) available. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address data collection from cloud storage, encrypt data stored at rest in cloud storage. Managed encryption keys can be rotated by most providers. At a minimum, ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications. mapping_type: mitigates references: [] - attack_object_id: T1659 attack_object_name: Content Injection capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Content Injection threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS. mapping_type: mitigates references: [] - attack_object_id: T1020.001 attack_object_name: Traffic Duplication capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: 'This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Automated Exfiltration: Traffic Duplication threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.' mapping_type: mitigates references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address ARP Cache Poisoning, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Encryption management practices capability_group: PR.PS capability_id: PR.PS-01.06 comments: This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address adversary-in-the-middle threats, the organization ensures that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS. mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Supply Chain Compromise through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Ensuring software management security standards can help protect against adversaries attempting to compromise the supply chain. mapping_type: mitigates references: [] - attack_object_id: T1553 attack_object_name: Subvert Trust Controls capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Subvert Trust Controls through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to subvert trust controls. mapping_type: mitigates references: [] - attack_object_id: T1553.006 attack_object_name: Code Signing Policy Modification capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Code Signing Policy Modification through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1542 attack_object_name: Pre-OS Boot capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Pre-OS Boot through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software/firmware and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1542.001 attack_object_name: System Firmware capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from System Firmware through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify firmware and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1542.003 attack_object_name: Bootkit capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Bootkit through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1542.004 attack_object_name: ROMMONkit capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from ROMMONkit through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1542.005 attack_object_name: TFTP Boot capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from TFTP Boot through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1601 attack_object_name: Modify System Image capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Modify System Image through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify the system image. mapping_type: mitigates references: [] - attack_object_id: T1601.001 attack_object_name: Patch System Image capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Patch System Image through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify the system image mapping_type: mitigates references: [] - attack_object_id: T1601.002 attack_object_name: Downgrade System Image capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Downgrade System Image through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify the system image. mapping_type: mitigates references: [] - attack_object_id: T1495 attack_object_name: Firmware Corruption capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Firmware Corruption through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify firmware and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from User Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to execute malicious unsigned code. mapping_type: mitigates references: [] - attack_object_id: T1204.003 attack_object_name: Malicious Image capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from User Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to execute malicious unsigned code. mapping_type: mitigates references: [] - attack_object_id: T1127 attack_object_name: Trusted Developer Utilities Proxy Execution capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Trusted Developer Utilities Proxy Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1127.002 attack_object_name: ClickOnce capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Trusted Developer Utilities Proxy Execution: ClickOnce through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Server Software Component through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1505.001 attack_object_name: SQL Stored Procedures capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from SQL Stored Procedures through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1505.002 attack_object_name: Transport Agent capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Transport Agent through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1505.004 attack_object_name: IIS Components capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from IIS Components through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Masquerading through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1036.001 attack_object_name: Invalid Code Signature capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Masquerading: Invalid Code Signature through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1036.005 attack_object_name: Match Legitimate Name or Location capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Masquerading: Match Legitimate Name or Location through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Implant Internal Image through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Event Triggered Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1546.006 attack_object_name: LC_LOAD_DYLIB Addition capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Event Triggered Execution: LC_LOAD_DYLIB Addition through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1546.013 attack_object_name: PowerShell Profile capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Powershell Profile through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Create or Modify System Process through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1543.003 attack_object_name: Windows Service capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Create or Modify System Process: Windows Service through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1554 attack_object_name: Compromise Host Software Binary capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Compromise Host Software Binary the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Command and Scripting Interpreter through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining along with disallowing scripts and integrity checking can help protect against adversaries that may abuse command and script interpreters. mapping_type: mitigates references: [] - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Command and Scripting Interpreter through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining along with disallowing scripts and integrity checking can help protect against adversaries that may abuse command and script interpreters. mapping_type: mitigates references: [] - attack_object_id: T1059.002 attack_object_name: AppleScript capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Command and Scripting Interpreter through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining along with disallowing scripts and integrity checking can help protect against adversaries that may abuse command and script interpreters. mapping_type: mitigates references: [] - attack_object_id: T1550.004 attack_object_name: Web Session Cookie capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Web Session Cookie through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Baseline security configuration including the automated deletion of cookies can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1535 attack_object_name: Unused/Unsupported Cloud Regions capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Unused/Unsupported Cloud Regions through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Transfer Data to Cloud through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that enforce data sharing restrictions to the cloud and integrity checking can help protect against adversaries attempting to transfer data to a cloud account. mapping_type: mitigates references: [] - attack_object_id: T1553.004 attack_object_name: Install Root Certificate capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Subvert Trust Controls: Install Root Certificate through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration including Windows Group Policy or Key Pinning and integrity checking can help protect against adversaries attempting to compromise and modify certificate configurations.' mapping_type: mitigates references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Steal Web Session Cookie through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Baseline security configuration including the automated deletion of cookies can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1598 attack_object_name: Phishing for Information capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Phishing for Information through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, encryption of credential data, and integrity checking can help protect against adversaries attempting to gather information. mapping_type: mitigates references: [] - attack_object_id: T1598.002 attack_object_name: Spearphishing Attachment capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Phishing for Information: Spearphishing Attachment through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, external email tracking, encryption of credential data, and integrity checking can help protect against adversaries attempting to gather information.' mapping_type: mitigates references: [] - attack_object_id: T1598.003 attack_object_name: Spearphishing Link capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Phishing for Information: Spearphishing Link through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, web filtering, encryption of credential data, and integrity checking can help protect against adversaries attempting to gather information.' mapping_type: mitigates references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Phishing through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, blocking of non-essential sites or attachment types, encryption of credential data, and integrity checking can help protect against adversaries attempting to access systems. mapping_type: mitigates references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Phishing through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, blocking of non-essential sites or attachment types, encryption of credential data, and integrity checking can help protect against adversaries attempting to access systems mapping_type: mitigates references: [] - attack_object_id: T1137 attack_object_name: Office Application Startup capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Office Application Startup through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of Office software and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1137.002 attack_object_name: Office Test capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Office Test through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1666 attack_object_name: Modify Cloud Resource Hierarchy capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Modify Cloud Resource Hierarchy through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations for Cloud platforms and integrity checking can help protect against adversaries attempting to compromise and modify cloud configurations. mapping_type: mitigates references: [] - attack_object_id: T1559 attack_object_name: Inter-Process Communication capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Inter-Process Communication through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1559.002 attack_object_name: Dynamic Data Exchange capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Inter-Process Communication: Dynamic Data Exchange through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Impair Defenses through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1562.006 attack_object_name: Indicator Blocking capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Impair Defenses: Indicator Blocking through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1562.009 attack_object_name: Safe Mode Boot capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Impair Defenses: Safe Mode Boot through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1562.010 attack_object_name: Downgrade Attack capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Impair Defenses: Downgrade Attack through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1590.002 attack_object_name: DNS capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Gather Victim Information: DNS through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration including secure policies for DNS servers including Zone Transfer Policies and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Forge Web Credentials through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1606.001 attack_object_name: Web Cookies capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Web Cookies through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Baseline security configuration including the automated deletion of cookies can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Data from Information Repositories through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include data retention policies to periodically archive and/or delete data and integrity checking can help protect against adversaries attempting to leverage information repositories. mapping_type: mitigates references: [] - attack_object_id: T1213.004 attack_object_name: Customer Relationship Management Software capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Data from Information Repositories: Customer Relationship Management Software through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include data retention policies to periodically archive and/or delete data and integrity checking can help protect against adversaries attempting to leverage information repositories.' mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Data from Information Repositories: Data from Configuration Repository through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include data retention policies to periodically archive and/or delete data and integrity checking can help protect against adversaries attempting to leverage information repositories.' mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Data from Configuration Repository: SNMP (MIB Dump) through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include allowlist MIB objects and implement SNMP Views can help protect against adversaries attempting to leverage information repositories.' mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Data from Configuration Repository: Network Device Configuration Dump through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include allowlist MIB objects and implement SNMP Views, and keeping system images and software up to date can help protect against adversaries attempting to leverage information repositories.' mapping_type: mitigates references: [] - attack_object_id: T1555.005 attack_object_name: Password Managers capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Credentials from Password Stores: Password Managers through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include secure password storage policies, and keeping system images and software up to date can help protect against adversaries attempting to leverage information repositories.' mapping_type: mitigates references: [] - attack_object_id: T1543.005 attack_object_name: Container Service capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Create or Modify System Process: Container Service through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Abuse Elevation Control Mechanism through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1548.003 attack_object_name: Sudo and Sudo Caching capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Abuse Elevation Control Mechanism: Sudo and Sudo Caching through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuraiton of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.' mapping_type: mitigates references: [] - attack_object_id: T1548.002 attack_object_name: Bypass User Account Control capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Abuse Elevation Control Mechanism: Bypass User Account Control through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.' mapping_type: mitigates references: [] - attack_object_id: T1548.001 attack_object_name: Setuid and Setgid capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Abuse Elevation Control Mechanism: Setuid and Setgid through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.' mapping_type: mitigates references: [] - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Account Discovery through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges. mapping_type: mitigates references: [] - attack_object_id: T1087.001 attack_object_name: Local Account capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Account Discovery: Local Account through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.' mapping_type: mitigates references: [] - attack_object_id: T1087.002 attack_object_name: Domain Account capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Account Discovery: Domain Account through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.' mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Account Manipulation through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1197 attack_object_name: BITS Jobs capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from BITS Jobs through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges. mapping_type: mitigates references: [] - attack_object_id: T1092 attack_object_name: Communication Through Removable Media capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Communication Through Removable Media through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Create Account through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges. mapping_type: mitigates references: [] - attack_object_id: T1136.002 attack_object_name: Domain Account capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Create Account: Domain Account through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.' mapping_type: mitigates references: [] - attack_object_id: T1546.008 attack_object_name: Accessibility Features capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Accessibility Features through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges. mapping_type: mitigates references: [] - attack_object_id: T1011 attack_object_name: Exfiltration Over Other Network Medium capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Exfiltration Over Other Network Medium through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1011.001 attack_object_name: Exfiltration Over Bluetooth capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Hide Artifacts through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1564.002 attack_object_name: Hidden Users capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Hide Artifacts: Hidden Users through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Hijack Execution Flow through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1574.006 attack_object_name: Dynamic Linker Hijacking capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Hijack Execution Flow: Dynamic Linker Hijacking through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1562.003 attack_object_name: Impair Command History Logging capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Impair Defenses: Impair Command History Logging through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Inhibit System Recovery through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1036.007 attack_object_name: Double File Extension capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Masquerading: Double File Extension through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Modify Authentication Process through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System (including only allowing valid DLLs, secure policies) and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1556.002 attack_object_name: Password Filter DLL capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Modify Authentication Process: Password Filter DLL through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System (including only allowing valid DLLs, secure policies) and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1556.008 attack_object_name: Network Provider DLL capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Modify Authentication Process: Network Provider DLL through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System (including only allowing valid DLLs, secure policies) and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1135 attack_object_name: Network Share Discovery capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Network Share Discovery through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from OS Credential Dumping through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges. mapping_type: mitigates references: [] - attack_object_id: T1003.001 attack_object_name: LSASS Memory capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from OS Credential Dumping: LSASS Memory through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.' mapping_type: mitigates references: [] - attack_object_id: T1003.002 attack_object_name: Security Account Manager capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from OS Credential Dumping: Security Account Manager through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.' mapping_type: mitigates references: [] - attack_object_id: T1003.005 attack_object_name: Cached Domain Credentials capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from OS Credential Dumping: Cached Domain Credentials through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.' mapping_type: mitigates references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Remote Service Session Hijacking through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Remote Service Session Hijacking: RDP Hijacking through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Remote Services through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Remote Desktop Protocol through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1053 attack_object_name: Scheduled Task/Job capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Scheduled Task/Job through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System including running of scheduled tasks as authenticated user instead of SYSTEM and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations. mapping_type: mitigates references: [] - attack_object_id: T1053.002 attack_object_name: At capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Scheduled Task/Job: At through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System including running of scheduled tasks as authenticated user instead of SYSTEM and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1053.005 attack_object_name: Scheduled Task capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Scheduled Task/Job: Scheduled Task through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System including running of scheduled tasks as authenticated user instead of SYSTEM and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.' mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: This diagnostic statement provides protection from Unsecured Credentials through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges. mapping_type: mitigates references: [] - attack_object_id: T1552.003 attack_object_name: Bash History capability_description: Configuration deviation capability_group: PR.PS capability_id: PR.PS-01.03 comments: 'This diagnostic statement provides protection from Unsecured Credentials: Bash History through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.' mapping_type: mitigates references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Email and message service protection capability_group: PR.PS capability_id: PR.PS-05.03 comments: Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation. mapping_type: mitigates references: [] - attack_object_id: T1566.004 attack_object_name: Spearphishing Voice capability_description: Email and message service protection capability_group: PR.PS capability_id: PR.PS-05.03 comments: Anti-virus can also automatically quarantine suspicious files sent through messages via services, social media , personal webmail, etc. mapping_type: mitigates references: [] - attack_object_id: T1566.003 attack_object_name: Spearphishing via Service capability_description: Email and message service protection capability_group: PR.PS capability_id: PR.PS-05.03 comments: Anti-virus can also automatically quarantine suspicious files sent through messages via services, social media , personal webmail, etc. mapping_type: mitigates references: [] - attack_object_id: T1071.003 attack_object_name: Mail Protocols capability_description: Email and message service protection capability_group: PR.PS capability_id: PR.PS-05.03 comments: Network intrusion prevention techniques can be utilized to detect traffic for specific adversary malware, in hopes of being mitigated at the network level. mapping_type: mitigates references: [] - attack_object_id: T1598.003 attack_object_name: Spearphishing Link capability_description: Email and message service protection capability_group: PR.PS capability_id: PR.PS-05.03 comments: 'Certain software configuration techniques can be utilized to detect and isolate spearphishing messages found with malicious attachments. Email authentication mechanisms allow malicious links to be filtered, detected and blocked, enabling users not to ' mapping_type: mitigates references: [] - attack_object_id: T1598 attack_object_name: Phishing for Information capability_description: Email and message service protection capability_group: PR.PS capability_id: PR.PS-05.03 comments: Certain software configuration techniques can be utilized to detect and isolate spearphishing messages found with malicious attachments. mapping_type: mitigates references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Email and message service protection capability_group: PR.PS capability_id: PR.PS-05.03 comments: Network intrusion prevention techniques can be utilized to remove malicious email attachment or link to prevent/block activity where phishing messages can be sent to users. mapping_type: mitigates references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Email and message service protection capability_group: PR.PS capability_id: PR.PS-05.03 comments: Network intrusion prevention techniques can be utilized to remove malicious email attachment or link to prevent/block activity where phishing messages can be sent to users. mapping_type: mitigates references: [] - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Email and message service protection capability_group: PR.PS capability_id: PR.PS-05.03 comments: Tools that detect and block and remove malware provide protection from users deceived into opening malicious attachments or files that can be found in emails (spearphishing). mapping_type: mitigates references: [] - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Email and message service protection capability_group: PR.PS capability_id: PR.PS-05.03 comments: Tools that detect and block and remove malware provide protection from users deceived into opening malicious documents, clicking on phishing links, or executing downloaded malware. mapping_type: mitigates references: [] - attack_object_id: T1176 attack_object_name: Browser Extensions capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring operating systems and software are using the most current version can mitigate risks of exploitation and/or abuse. mapping_type: mitigates references: [] - attack_object_id: T1542 attack_object_name: Pre-OS Boot capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse. mapping_type: mitigates references: [] - attack_object_id: T1137.004 attack_object_name: Outlook Home Page capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: 'This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started. ' mapping_type: mitigates references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks. mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools can mitigate Supply Chain Compromise. mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools can mitigate Supply Chain Compromise. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks. mapping_type: mitigates references: [] - attack_object_id: T1195.002 attack_object_name: Compromise Software Supply Chain capability_description: Vulnerability remediation capability_group: PR.PS capability_id: PR.PS-06.06 comments: This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools can mitigate Supply Chain Compromise. mapping_type: mitigates references: [] - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1559 attack_object_name: Inter-Process Communication capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1559.001 attack_object_name: Component Object Model capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1559.002 attack_object_name: Dynamic Data Exchange capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1055.011 attack_object_name: Extra Window Memory Injection capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1021.003 attack_object_name: Distributed Component Object Model capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1548.004 attack_object_name: Elevated Execution with Prompt capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1059.002 attack_object_name: AppleScript capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1059.005 attack_object_name: Visual Basic capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1059.006 attack_object_name: Python capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1036.005 attack_object_name: Match Legitimate Name or Location capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1036.008 attack_object_name: Masquerade File Type capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1137 attack_object_name: Office Application Startup capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1218.001 attack_object_name: Compiled HTML File capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1218.002 attack_object_name: Control Panel capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1218.003 attack_object_name: CMSTP capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1218.004 attack_object_name: InstallUtil capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1218.005 attack_object_name: Mshta capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1218.008 attack_object_name: Odbcconf capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1218.009 attack_object_name: Regsvcs/Regasm capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1218.012 attack_object_name: Verclsid capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1218.013 attack_object_name: Mavinject capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1218.014 attack_object_name: MMC capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1218.015 attack_object_name: Electron Applications capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1127.002 attack_object_name: ClickOnce capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1036.001 attack_object_name: Invalid Code Signature capability_description: Mobile code prevention capability_group: PR.PS capability_id: PR.PS-05.02 comments: Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source. mapping_type: mitigates references: [] - attack_object_id: T1098.006 attack_object_name: Additional Container Cluster Roles capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to manipulate accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.005 attack_object_name: Device Registration capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to register devices. mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to manipulate accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.002 attack_object_name: Additional Email Delegate Permissions capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to add permissions to accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to manipulate accounts. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to manipulate accounts. mapping_type: mitigates references: [] - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to brute force credentials. mapping_type: mitigates references: [] - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to brute force credentials. mapping_type: mitigates references: [] - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to brute force credentials. mapping_type: mitigates references: [] - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing strong encryption keys and limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to guess credentials. mapping_type: mitigates references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to brute force credentials. mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts. mapping_type: mitigates references: [] - attack_object_id: T1136.002 attack_object_name: Domain Account capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts. mapping_type: mitigates references: [] - attack_object_id: T1136.001 attack_object_name: Local Account capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts. mapping_type: mitigates references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Data Destruction through the use of revocation of keys and key management used in multi-factor authentication. Employing key protection strategies, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to destroy data. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Data from Cloud Storage through the use of revocation of keys and key management used in multi-factor authentication. Employing key protection strategies, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to access data from cloud storage. mapping_type: mitigates references: [] - attack_object_id: T1213.003 attack_object_name: Code Repositories capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Code Repositories through the use of revocation of keys and key management. Employing key protection strategies such as removing keys from code repositories, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from code repositories. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Code Repositories through the use of revocation of keys and key management. Employing key protection strategies such as removing keys from information repositories, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from code repositories. mapping_type: mitigates references: [] - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Email Collection through the use of revocation of keys and key management. Employing key protection strategies such as ensuring proper encryption methods and key management for those used in email along with policies for sending cryptographic material over email, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from emails. mapping_type: mitigates references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Email Collection through the use of revocation of keys and key management. Employing key protection strategies such as ensuring proper encryption methods and key management for those used in email along with policies for sending cryptographic material over email, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from emails. mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against External Remote Services through the use of revocation of keys and key management. Employing key protection strategies and key management for those used in external remote services, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to access external remote services. mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use hybrid identities. mapping_type: mitigates references: [] - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes (including multi-factor authentication or MFA), limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to bypass or generate MFA requests. mapping_type: mitigates references: [] - attack_object_id: T1556.004 attack_object_name: Network Device Authentication capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch network device authentication processes in those system images. mapping_type: mitigates references: [] - attack_object_id: T1556.003 attack_object_name: Pluggable Authentication Modules capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in PAM modules and its authentication process, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify the PAM processes. mapping_type: mitigates references: [] - attack_object_id: T1556.001 attack_object_name: Domain Controller Authentication capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify domain controller authentication mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify authentication processes. mapping_type: mitigates references: [] - attack_object_id: T1601.002 attack_object_name: Downgrade System Image capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Downgrade System Image through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch system images. mapping_type: mitigates references: [] - attack_object_id: T1601.001 attack_object_name: Patch System Image capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Patch System Image through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch system images. mapping_type: mitigates references: [] - attack_object_id: T1601 attack_object_name: Modify System Image capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Modify System Image through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch system images. mapping_type: mitigates references: [] - attack_object_id: T1621 attack_object_name: Multi-Factor Authentication Request Generation capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Multi-Factor Authentication Request Generation through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes (including multi-factor authentication or MFA), limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to bypass or generate MFA requests. mapping_type: mitigates references: [] - attack_object_id: T1599.001 attack_object_name: Network Address Translation Traversal capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Network Address Translation Traversal through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes (including multi-factor authentication or MFA for network devices using TACACS+/RADIUS), limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to perform Network Address Translation Traversal. mapping_type: mitigates references: [] - attack_object_id: T1599 attack_object_name: Network Boundary Bridging capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Network Boundary Bridging through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes (including multi-factor authentication or MFA for network devices using TACACS+/RADIUS), limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to perform Network Boundary Bridging. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Network Sniffing through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes transmitted over networks, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use network sniffing. mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Remote Services: Cloud Services through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes in cloud services, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use cloud services.' mapping_type: mitigates references: [] - attack_object_id: T1021.004 attack_object_name: SSH capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Remote Services: SSH through the use of revocation of keys and key management. Employing key protection strategies for key material used in SSH, limitations to specific accounts along with access control mechanisms limits adversaries attempting to use valid accounts on SSH.' mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Remote Services: Remote Desktop Protocol (RDP) through the use of revocation of keys and key management. Employing key protection strategies such as multi-factor authentication for key material used in authentication for RDP, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts over RDP.' mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Remote Services through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes transmitted over networks, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to misuse remote services. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Software Deployment Tools through the use of revocation of keys and key management. Employing key protection strategies for key material used in software deployment tools including signing, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to misuse software deployment tools. mapping_type: mitigates references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Steal Web Session Cookie through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multifactor authentication in authentication processes for web applications using cookies, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to steal session cookies. mapping_type: mitigates references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Trusted Relationship through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes for trusted entities, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to abuse trusted relationships. mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Valid Accounts: Cloud Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts.' mapping_type: mitigates references: [] - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Valid Accounts: Local Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts.' mapping_type: mitigates references: [] - attack_object_id: T1078.002 attack_object_name: Domain Accounts capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Valid Accounts: Domain Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts.' mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Valid Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts. mapping_type: mitigates references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Adversary-in-the-middle: ARP Cache Poisoning through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against adversary-in-the-middle.' mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Adversary-in-the-middle through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against adversary-in-the-middle mapping_type: mitigates references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Adversary-in-the-middle: ARP Cache Poisoning through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against adversary-in-the-middle' mapping_type: mitigates references: [] - attack_object_id: T1020.001 attack_object_name: Traffic Duplication capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Automated Exfiltration: Traffic Duplication through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against traffic duplication.' mapping_type: mitigates references: [] - attack_object_id: T1020 attack_object_name: Automated Exfiltration capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Automated Exfiltration through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against automated exfiltration. mapping_type: mitigates references: [] - attack_object_id: T1659 attack_object_name: Content Injection capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Content Injection through the use of revocation of keys and key management. Employing key protection strategies for key material used in virtual private networks, identity management, and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against content injection. mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Data from Configuration Repository: Network Device Configuration Dump through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against network device configuration dump.' mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Data from Configuration Repository: SNMP (MIB Dump) through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against MIB Dump.' mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Data from Configuration Repository through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against data from configuration repository. mapping_type: mitigates references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Transmitted Data Manipulation through the use of revocation of keys and key management. Employing key protection strategies for key material used in sensitive information transmitted over networks, limitations to specific accounts along with access control mechanisms provides protection against transmitted data manipulation by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Stored Data Manipulation through the use of revocation of keys and key management. Employing key protection strategies for key material used for storage of sensitive information, limitations to specific accounts along with access control mechanisms provides protection against stored data manipulation by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Data Manipulation through the use of revocation of keys and key management. Employing key protection strategies for key material used for storage and transmission of sensitive information over networks, limitations to specific accounts along with access control mechanisms provides protection against data manipulation by adversaries. mapping_type: mitigates references: [] - attack_object_id: T1114.003 attack_object_name: Email Forwarding Rule capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Email Forwarding Rule through the use of key management. Employing key protection strategies for key material used in protection of emails, limitations to specific accounts along with access control mechanisms provides protection against adversaries abusing email forwarding rule. mapping_type: mitigates references: [] - attack_object_id: T1114.001 attack_object_name: Local Email Collection capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Local Email Collection through the use of key management. Employing key protection strategies for key material used in protection of emails, limitations to specific accounts along with access control mechanisms provides protection against adversaries abusing local email collection. mapping_type: mitigates references: [] - attack_object_id: T1070.002 attack_object_name: Clear Linux or Mac System Logs capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Clear Linux or Mac System Logs through the use of key management. Employing key protection strategies for key material used in protection of event logs, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to clear system logs. mapping_type: mitigates references: [] - attack_object_id: T1070.001 attack_object_name: Clear Windows Event Logs capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Clear Windows Event Logs through the use of key management. Employing key protection strategies for key material used in protection of event logs, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to clear system logs. mapping_type: mitigates references: [] - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Indicator Removal through the use of key management. Employing key protection strategies for key material used in protection of indicators, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to remove indicators of compromise. mapping_type: mitigates references: [] - attack_object_id: T1003.003 attack_object_name: NTDS capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against OS Credential Dumping: NTDS through the use of revocation of keys and key management. Employing key protection strategies for key material used in protection of domain controller backups, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to obtain credentials from NTDS backups.' mapping_type: mitigates references: [] - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against OS Credential Dumping through the use of revocation of keys and key management. Employing key protection strategies for key material used in protection of OS credential backups, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to obtain credentials from OS credential backups. mapping_type: mitigates references: [] - attack_object_id: T1649 attack_object_name: Steal or Forge Authentication Certificates capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Steal or Forge Authentication Certificates through the use of revocation of keys and key management. Employing certificate protection strategies such as storing in a Hardware Security Module like a TPM and checking certificate validity for those used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge authentication certificates. mapping_type: mitigates references: [] - attack_object_id: T1558.004 attack_object_name: AS-REP Roasting capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Steal or Forge Kerberos Tickets: AS-REP Roasting through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to perform AS-REP Roasting.' mapping_type: mitigates references: [] - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Steal or Forge Kerberos Tickets: Kerberoasting through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to perform Kerbeoasting.' mapping_type: mitigates references: [] - attack_object_id: T1558.002 attack_object_name: Silver Ticket capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Steal or Forge Kerberos Tickets: Silver Ticket through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, especially for known services such as MSSQL etc., limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge kerberos tickets.' mapping_type: mitigates references: [] - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, especially for Kerberos authentication process, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge kerberos tickets. mapping_type: mitigates references: [] - attack_object_id: T1552.004 attack_object_name: Private Keys capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Unsecured Credentials: Private Keys through the use of revocation of keys and key management. Employing key protection strategies for key material such as private keys used in protecting credentials, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise credentials.' mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Unsecured Credentials through the use of revocation of keys and key management. Employing key protection strategies for key material such as private keys, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise credentials. mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Application Access Token through the use of revocation of keys and key management. Employing key protection strategies for key material such as those used in generation or protection of application access tokens, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise application access tokens. mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Use Alternate Authentication Material through the use of revocation of keys and key management. Employing key protection strategies for key material used for identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to use alternate authentication material. mapping_type: mitigates references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: This diagnostic statement protects against Boot or Logon Autostart Execution through the use of revocation of keys and key management. Employing key protection strategies for key material used for protecting integrity of boot firmware, system images, and using Hardware Security Modules such as TPMs to store those keys, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise boot or logon autostart execution. mapping_type: mitigates references: [] - attack_object_id: T1547.008 attack_object_name: LSASS Driver capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Boot or Logon Autostart Execution: LSASS Driver through the use of revocation of keys and key management. Employing key protection strategies for key material used for protecting integrity of boot firmware, system images, and using Hardware Security Modules such as TPMs to store those keys, along with use of Credential Guard provides protection against adversaries trying to compromise boot or logon autostart execution.' mapping_type: mitigates references: [] - attack_object_id: T1003.001 attack_object_name: LSASS Memory capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against OS Credential Dumping: LSASS Memory through the use of revocation of keys and key management. Employing key protection strategies for key material used for protecting integrity of boot firmware, system images, and using Hardware Security Modules such as TPMs to store those keys, along with use of Credential Guard provides protection against adversaries trying to perform OS Credential dumping of LSASS memory.' mapping_type: mitigates references: [] - attack_object_id: T1558.005 attack_object_name: Ccache Files capability_description: Cryptographic keys and certificates capability_group: PR.PS capability_id: PR.PS-01.07 comments: 'This diagnostic statement protects against Steal or Forge Kerberos Tickets: Ccache Files through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge kerberos tickets.' mapping_type: mitigates references: [] - attack_object_id: T1021.002 attack_object_name: SMB/Windows Admin Shares capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may transfer tools, payloads, or other malware between systems in a compromised environment, such as between a VM and host system. Hypervisor hardening may help in monitoring and restricting unexpected network share access, such as files transferred between shares within a network using protocols such as SMB by virtualized technologies. mapping_type: mitigates references: [] - attack_object_id: T1570 attack_object_name: Lateral Tool Transfer capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may transfer tools, payloads, or other malware between systems in a compromised environment, such as between a VM and host system. Hypervisor hardening may help in monitoring and restricting unexpected network share access, such as files transferred between shares within a network using protocols such as SMB by virtualized technologies. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: "The diagnostic statement outlines several mechanisms that organizations\ \ can use to protect endpoint systems with virtualization technologies, focusing\ \ primarily on hypervisor hardening. By implementing hypervisor hardening measures\u2014\ such as requiring multi-factor authentication to restrict access to resources\ \ and information stored in the cloud from various virtual machines, organizations\ \ may help prevent data leakage caused by adversaries exploiting VM instances." mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. Use multi-factor authentication for user and privileged accounts running virtual machines. mapping_type: mitigates references: [] - attack_object_id: T1129 attack_object_name: Shared Modules capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring. mapping_type: mitigates references: [] - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring. mapping_type: mitigates references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may deliver payloads to host systems by adding content to shared storage and file locations, such as a shared directory between the host and virtual machine. Hypervisor hardening can restrict or limit the ability to of the virtualized machine to taint shared content, making it harder for attackers to manipulate shared content. mapping_type: mitigates references: [] - attack_object_id: T1552.001 attack_object_name: Credentials In Files capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may search host shared directories/filed between a VM and host device to find files of interest, specifically credentials in files. Hypervisor hardening can restrict or limit the ability to access files containing insecurely stored credentials between the virtualized machine and host system, making it harder for attackers to collect data from host shared files. mapping_type: mitigates references: [] - attack_object_id: T1039 attack_object_name: Data from Network Shared Drive capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may search host shared directories between a VM and host device to find files of interest. Hypervisor hardening can restrict or limit the ability to share files between the virtualized machine and host system, making it harder for attackers to collect data from host shared directories. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. Hypervisor hardening can limit the ability of virtual machines to disable or modify security tools or configurations within the host system, making it harder for attackers to evade detection. mapping_type: mitigates references: [] - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Protect administrative access to domain trusts and identity tenants to mitigate this technique. mapping_type: mitigates references: [] - attack_object_id: T1021.003 attack_object_name: Distributed Component Object Model capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via Distributed Component Object Model (DCOM). mapping_type: mitigates references: [] - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets. mapping_type: mitigates references: [] - attack_object_id: T1558.002 attack_object_name: Silver Ticket capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets. mapping_type: mitigates references: [] - attack_object_id: T1563.001 attack_object_name: SSH Hijacking capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions. mapping_type: mitigates references: [] - attack_object_id: T1078.002 attack_object_name: Domain Accounts capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: 'This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems). ' mapping_type: mitigates references: [] - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems). Minimize permissions and access for service accounts to mitigate this technique. mapping_type: mitigates references: [] - attack_object_id: T1559.001 attack_object_name: Component Object Model capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Set service account access restrictions to grant only the minimum necessary permissions to mitigate abuse of inter-process communication (IPC) mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: 'This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems). ' mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize permissions and access for service accounts to limit impact of exploitation. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Service accounts capability_group: PR.AA capability_id: PR.AA-05.03 comments: 'This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems). ' mapping_type: mitigates references: [] - attack_object_id: T1102.003 attack_object_name: One-Way Communication capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services. mapping_type: mitigates references: [] - attack_object_id: T1102.002 attack_object_name: Bidirectional Communication capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services. mapping_type: mitigates references: [] - attack_object_id: T1102.001 attack_object_name: Dead Drop Resolver capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services. mapping_type: mitigates references: [] - attack_object_id: T1102 attack_object_name: Web Service capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services. mapping_type: mitigates references: [] - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit. mapping_type: mitigates references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit. mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement provides for implementing tools and measures for such as allowing/denying types of third-party applications which can help prevent adversary use of alternate authentication material. mapping_type: mitigates references: [] - attack_object_id: T1218.001 attack_object_name: Compiled HTML File capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement can help prevent adversaries from abusing HTML files by implementing tools and measures to block download/transfer of uncommon file types known to be used in adversary campaigns. mapping_type: mitigates references: [] - attack_object_id: T1218 attack_object_name: System Binary Proxy Execution capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement can help prevent execution of malicious content with signed files or trusted binaries through tools and measures restricting or blocking certain websites, blocking downloads/attachments, and restricting browser extensions. mapping_type: mitigates references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement provides for implementing tools and measures for web-based content and browser security settings that can help prevent session cookie theft. mapping_type: mitigates references: [] - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement provides for implementing tools and measures such as disabling users from authorizing third-party apps and forcing administrative consent for all requests that can help prevent token theft. mapping_type: mitigates references: [] - attack_object_id: T1566.003 attack_object_name: Spearphishing via Service capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts. mapping_type: mitigates references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts. mapping_type: mitigates references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts. mapping_type: mitigates references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts. mapping_type: mitigates references: [] - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement helps mitigate drive-by compromise through the implementation of tools and measures such as adblockers to prevent and block malicious code execution and script blocking extensions to block execution of scripts. mapping_type: mitigates references: [] - attack_object_id: T1555.003 attack_object_name: Credentials from Web Browsers capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement provides for implementing tools and measures for web-based content and browser security settings that can help prevent session cookie theft. mapping_type: mitigates references: [] - attack_object_id: T1659 attack_object_name: Content Injection capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement provides for implementing tools and measures such as blocking download/transfer and execution of uncommon file types which can help prevent content injection. mapping_type: mitigates references: [] - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement prevents adversaries from abusing various implementation of JavaScript for execution by blocking the execution of scripts and malicious code that pop up via adblockers and ads. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement prevents adversaries from abusing commands, scripts, or binaries by blocking the execution of scripts and malicious code that pop up via adblockers and ads. mapping_type: mitigates references: [] - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1078.002 attack_object_name: Domain Accounts capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1078.001 attack_object_name: Default Accounts capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1053.007 attack_object_name: Container Orchestration Job capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1053.006 attack_object_name: Systemd Timers capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1053.005 attack_object_name: Scheduled Task capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1053.002 attack_object_name: At capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1053 attack_object_name: Scheduled Task/Job capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1556.005 attack_object_name: Reversible Encryption capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1556.004 attack_object_name: Network Device Authentication capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1556.001 attack_object_name: Domain Controller Authentication capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1606.002 attack_object_name: SAML Tokens capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1543.005 attack_object_name: Container Service capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1098.002 attack_object_name: Additional Email Delegate Permissions capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1548.006 attack_object_name: TCC Manipulation capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1548.003 attack_object_name: Sudo and Sudo Caching capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1548.002 attack_object_name: Bypass User Account Control capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Privileged account monitoring capability_group: DE.CM capability_id: DE.CM-03.03 comments: This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse. mapping_type: mitigates references: [] - attack_object_id: T1059.005 attack_object_name: Visual Basic capability_description: Website and service blocking capability_group: DE.CM capability_id: DE.CM-01.05 comments: This diagnostic statement prevents adversaries from abusing commands, scripts, or binaries by blocking the execution of scripts and malicious code that pop up via adblockers and ads. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Third-party systems and software evaluation capability_group: EX.DD capability_id: EX.DD-04.01 comments: This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring the use of vulnerability scanning of third-party application development to scan for common vulnerabilities like SQL injection or cross-site scripting (XSS), including the use of regular scans post major changes to identify newly introduced vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Third-party systems and software evaluation capability_group: EX.DD capability_id: EX.DD-04.01 comments: This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring the use of vulnerability scanning of third-party application development to scan for common vulnerabilities like SQL injection or cross-site scripting (XSS), including the use of regular scans post major changes to identify newly introduced vulnerabilities. mapping_type: mitigates references: [] - attack_object_id: T1195.002 attack_object_name: Compromise Software Supply Chain capability_description: Third-party systems and software evaluation capability_group: EX.DD capability_id: EX.DD-04.01 comments: This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks. mapping_type: mitigates references: [] - attack_object_id: T1554 attack_object_name: Compromise Host Software Binary capability_description: Third-party systems and software evaluation capability_group: EX.DD capability_id: EX.DD-04.01 comments: This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks. mapping_type: mitigates references: [] - attack_object_id: T1542.002 attack_object_name: Component Firmware capability_description: Third-party systems and software evaluation capability_group: EX.DD capability_id: EX.DD-04.01 comments: This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks. mapping_type: mitigates references: [] - attack_object_id: T1036.001 attack_object_name: Invalid Code Signature capability_description: Third-party systems and software evaluation capability_group: EX.DD capability_id: EX.DD-04.01 comments: This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks. mapping_type: mitigates references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Third-party systems and software evaluation capability_group: EX.DD capability_id: EX.DD-04.01 comments: This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Third-party systems and software evaluation capability_group: EX.DD capability_id: EX.DD-04.01 comments: This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks. mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: Third-party systems and software evaluation capability_group: EX.DD capability_id: EX.DD-04.01 comments: This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks. mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Third-party systems and software evaluation capability_group: EX.DD capability_id: EX.DD-04.01 comments: This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks. mapping_type: mitigates references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement prevents adversaries from manipulating data that is in transit. Encrypting and/or obfuscating data can be used to protect sensitive data from being accessed by adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement prevents adversaries from manipulating data at rest. storing data remotely can be used to properly manage data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1114.001 attack_object_name: Local Email Collection capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement prevents adversaries from manipulating emails and having the ability to collect sensitive data (PII) from users. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1070.008 attack_object_name: Clear Mailbox Data capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: Storing data remotely can be used to properly manage data so that adversaries won't be able to modify mail and mail application data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1070.002 attack_object_name: Clear Linux or Mac System Logs capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: Utilizing methods that can obfuscate and/or encrypt event files locally and in transit can prevent adversaries from clearing system logs and feeding them to adversaries. Also, storing data remotely can be used to properly manage data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: Storing data remotely can be used to properly manage data so that adversaries won't be able to interfere with processes used to detect intrusion activities. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1003.003 attack_object_name: NTDS capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via Active Directory domain databases. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1558.005 attack_object_name: Ccache Files capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and abusing Kerberos by stealing tickets in credential cache files. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and abusing Kerberos by stealing tickets to enforce unauthorized access. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1557.004 attack_object_name: Evil Twin capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and enticing users to connecting to malicious networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement prevents adversaries from being able to steal data in transit between networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1552.004 attack_object_name: Private Keys capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via private key certificate files. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement prevents adversaries from being able to steal application access token by bypassing regular authentication methods and accessing restricting accounts and user credentials. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement prevents adversaries from being able to manipulate mechanisms to gain access to user's higher-level permissions and control elevated privileges. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement prevents adversaries from collecting sensitive data from cloud storage solutions, such as Amazon S3, Azure, Storage, and Google Cloud. Permissions on cloud storage should be frequently checked and encrypting sensitive data in the cloud should be managed properly. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1213.004 attack_object_name: Customer Relationship Management Software capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement prevents adversaries from leveraging sensitive (PII) data from customer relationship management software by sending phishing emails or targeting organization's customers in ways that enable financial gain. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement prevents adversaries from using automated techniques for collecting internal data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1114.003 attack_object_name: Email Forwarding Rule capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. It also prevents adversaries from abusing email forwarding rules. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. It also prevents adversaries from manipulating data via exchange server, Office 365, or Google Workspace from trying to collect sensitive information. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. here may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1070.001 attack_object_name: Clear Windows Event Logs capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement protects data from being easily manipulated by adversaries that try to clear Windows event logs by intruding different activities. Encrypting files locally and in transit shall avoid giving data to an adversary. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement protects data from being easily manipulated by adversaries due to network sniffing while authentication material is being passed over networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1020.001 attack_object_name: Traffic Duplication capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement protects data from being exfiltrated from adversaries via traffic monitoring. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Data governance and lifecycle management capability_group: ID.AM capability_id: ID.AM-08.03 comments: This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement highlights the critical importance of implementing remote data storage solutions as a safeguard against potential adversarial attempts to manipulate or conceal stored data (i.e. file formats, databases, stored emails, and custom file formats), which could negatively impact business operations and organizational data integrity. mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement highlights the critical importance of implementing remote data storage solutions as a safeguard against potential adversarial attempts to manipulate or conceal data, which could negatively impact business operations and organizational data integrity. mapping_type: mitigates references: [] - attack_object_id: T1498.002 attack_object_name: Reflection Amplification capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement focuses on safeguarding IP addresses from potential attacks by adversaries targeting third party servers and causing DoS attacks. Additionally, the integration of third-party services is recommended to support the development of a comprehensive business continuity plan, ensuring an effective response to such incidents. mapping_type: mitigates references: [] - attack_object_id: T1498.001 attack_object_name: Direct Network Flood capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement focuses on safeguarding IP addresses from potential attacks by adversaries, including Network Denial of Service (DoS) attacks targeting the availability and functionality of networks. Additionally, the integration of third-party services is recommended to support the development of a comprehensive business continuity plan, ensuring an effective response to such incidents. mapping_type: mitigates references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement focuses on safeguarding IP addresses from potential attacks by adversaries, including Network Denial of Service (DoS) attacks targeting websites, email services, and web-based applications. Additionally, the integration of third-party services is recommended to support the development of a comprehensive business continuity plan, ensuring an effective response to such incidents. mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries may attempt to hinder the recovery of a compromised system. mapping_type: mitigates references: [] - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries may attempt to target data on encrypted systems by using ransomware. mapping_type: mitigates references: [] - attack_object_id: T1485.001 attack_object_name: Lifecycle-Triggered Deletion capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries may attempt to modify policies of cloud storage and data within it. mapping_type: mitigates references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to destroy data and/or files on systems found within a large network. mapping_type: mitigates references: [] - attack_object_id: T1561.002 attack_object_name: Disk Structure Wipe capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to erase disk data structures on hard dives or within networks. mapping_type: mitigates references: [] - attack_object_id: T1561.001 attack_object_name: Disk Content Wipe capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to erase content found on storage devices on systems or within networks. mapping_type: mitigates references: [] - attack_object_id: T1561 attack_object_name: Disk Wipe capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to corrupt raw disk data on systems or within networks. mapping_type: mitigates references: [] - attack_object_id: T1491.002 attack_object_name: External Defacement capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement emphasizes the importance of facilitating data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, aimed at mitigating the risks posed by potential adversarial attempts to compromise or manipulate organization's content and systems externally by targeting users through messages or propaganda. mapping_type: mitigates references: [] - attack_object_id: T1491.001 attack_object_name: Internal Defacement capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement emphasizes the importance of facilitating data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, aimed at mitigating the risks posed by potential adversarial attempts to compromise or manipulate content internally within an organization's network. mapping_type: mitigates references: [] - attack_object_id: T1491 attack_object_name: Defacement capability_description: Accurate data recovery capability_group: ID.IM capability_id: ID.IM-02.06 comments: This diagnostic statement emphasizes the importance of facilitating data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, aimed at mitigating the risks posed by potential adversarial attempts to compromise or manipulate content within an enterprise network. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1078.002 attack_object_name: Domain Accounts capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1078.001 attack_object_name: Default Accounts capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1578.005 attack_object_name: Modify Cloud Compute Configurations capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1578 attack_object_name: Modify Cloud Compute Infrastructure capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1657 attack_object_name: Financial Theft capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1006 attack_object_name: Direct Volume Access capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1555.005 attack_object_name: Password Managers capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1555.003 attack_object_name: Credentials from Web Browsers capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1543.005 attack_object_name: Container Service capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1543.002 attack_object_name: Systemd Service capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1609 attack_object_name: Container Administration Command capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1556.004 attack_object_name: Network Device Authentication capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1059.008 attack_object_name: Network Device CLI capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1619 attack_object_name: Cloud Storage Object Discovery capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1538 attack_object_name: Cloud Service Dashboard capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1580 attack_object_name: Cloud Infrastructure Discovery capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1547.013 attack_object_name: XDG Autostart Entries capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1547.012 attack_object_name: Print Processors capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1547.009 attack_object_name: Shortcut Modification capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1547.006 attack_object_name: Kernel Modules and Extensions capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1547.004 attack_object_name: Winlogon Helper DLL capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1197 attack_object_name: BITS Jobs capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1020.001 attack_object_name: Traffic Duplication capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.006 attack_object_name: Additional Container Cluster Roles capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.004 attack_object_name: SSH Authorized Keys capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1087.004 attack_object_name: Cloud Account capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1134.003 attack_object_name: Make and Impersonate Token capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1134.002 attack_object_name: Create Process with Token capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1134.001 attack_object_name: Token Impersonation/Theft capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1134 attack_object_name: Access Token Manipulation capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1548.005 attack_object_name: Temporary Elevated Cloud Access capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Physical and logical access capability_group: PR.AA capability_id: PR.AA-01.02 comments: This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. mapping_type: mitigates references: [] - attack_object_id: T1609 attack_object_name: Container Administration Command capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1059.008 attack_object_name: Network Device CLI capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1555.005 attack_object_name: Password Managers capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1649 attack_object_name: Steal or Forge Authentication Certificates capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1003.001 attack_object_name: LSASS Memory capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1187 attack_object_name: Forced Authentication capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1078.002 attack_object_name: Domain Accounts capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1078.001 attack_object_name: Default Accounts capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1021.004 attack_object_name: SSH capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1599.001 attack_object_name: Network Address Translation Traversal capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1599 attack_object_name: Network Boundary Bridging capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1601.002 attack_object_name: Downgrade System Image capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1601.001 attack_object_name: Patch System Image capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1601 attack_object_name: Modify System Image capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1556.004 attack_object_name: Network Device Authentication capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1556.001 attack_object_name: Domain Controller Authentication capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1593.003 attack_object_name: Code Repositories capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1136.002 attack_object_name: Domain Account capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1136.001 attack_object_name: Local Account capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1098.006 attack_object_name: Additional Container Cluster Roles capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1098.005 attack_object_name: Device Registration capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Authentication requirements capability_group: PR.AA capability_id: PR.AA-03.01 comments: This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials. mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Third-party access management capability_group: PR.AA capability_id: PR.AA-05.04 comments: "This diagnostic statement includes implementation of controls for third-party\ \ access to an organization\u2019s systems. Conditional access policies can be\ \ used to block logins from non-compliant devices or from outside defined IP ranges. " mapping_type: mitigates references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Third-party access management capability_group: PR.AA capability_id: PR.AA-05.04 comments: "This diagnostic statement includes implementation of controls for third-party\ \ access to an organization\u2019s systems. Enforcing third-party account use\ \ policies to include account lockout policies after a certain number of failed\ \ login attempts mitigates the risk of brute-force attacks. " mapping_type: mitigates references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Third-party access management capability_group: PR.AA capability_id: PR.AA-05.04 comments: "This diagnostic statement includes implementation of controls for third-party\ \ access to an organization\u2019s systems. Manage accounts and permissions used\ \ by parties in trusted relationships to minimize potential abuse by the party\ \ or if the party is compromised by an adversary." mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network filtering, defense-in-depth, and access isolation principles provides protection against adversaries trying to obtain unsecured credentials. mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing secure network configuration, defense-in-depth, and access isolation principles provides protection against adversaries attempting to obtain credentials via APIs within a containers environment. mapping_type: mitigates references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation to isolate infrastructure and limit access through trusted third party relationships. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. The permissions required for execution of this technique vary by system configuration. Employing proper system isolation can protect critical network systems from potential exploitation. mapping_type: mitigates references: [] - attack_object_id: T1489 attack_object_name: Service Stop capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing defense-in-depth and access isolation provides protection against adversaries attempting to stop services. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing measures such as blocking RDP traffic between network security zones provides protection against adversaries attempting to use RDP to expand access. mapping_type: mitigates references: [] - attack_object_id: T1021.003 attack_object_name: Distributed Component Object Model capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing measures such as Windows Firewall provides protection against adversaries attempting to exploit Distributed Component Object Model. mapping_type: mitigates references: [] - attack_object_id: T1021.006 attack_object_name: Windows Remote Management capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing measures such as blocking or restricting WinRM provides protection against adversaries attempting to exploit this service. mapping_type: mitigates references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Blocking network traffic that is not necessary can mitigate, or at least alleviate, use of remote services to move laterally in an environment. mapping_type: mitigates references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Blocking network traffic that is not necessary can mitigate, or at least alleviate, use of remote desktop to move laterally in an environment. mapping_type: mitigates references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and proper systems can mitigate use of this technique. mapping_type: mitigates references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and proper systems can mitigate use of this technique. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing measures such as denying direct access of broadcasts and multicast sniffing can prevent network sniffing attacks. mapping_type: mitigates references: [] - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing proper network segmentation can protect critical servers and devices from discovery and potential exploitation. mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Denying direct remote access to internal systems to prevent adversaries from leveraging external-facing remote services to access and/or persist within a network. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Segmenting externally facing networks and systems appropriately to mitigate exploitation of remote services. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Segment externally facing servers and services to mitigate exploitation of public-facing applications. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Network firewall configurations that allow only necessary ports and traffic can mitigate exfiltration of data over alternate protocols. mapping_type: mitigates references: [] - attack_object_id: T1048.001 attack_object_name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Network firewall configurations that allow only necessary ports and traffic can mitigate exfiltration of data over alternate protocols. mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Network firewall configurations that allow only necessary ports and traffic can mitigate exfiltration of data over alternate protocols. mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Network firewall configurations that allow only necessary ports and traffic can mitigate exfiltration of data over alternate protocols. mapping_type: mitigates references: [] - attack_object_id: T1482 attack_object_name: Domain Trust Discovery capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation for sensitive domains can help prevent adversary exploitation of domain trust relationships. mapping_type: mitigates references: [] - attack_object_id: T1610 attack_object_name: Deploy Container capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation to deny direct remote access to internal systems externally provides protection against adversaries attempting to deploy containers. mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to isolate and secure systems hosting critical business and system processes. mapping_type: mitigates references: [] - attack_object_id: T1565.003 attack_object_name: Runtime Data Manipulation capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to isolate and secure systems hosting critical business and system processes. mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to segregate traffic to provide protection against adversaries attempting to obtain data from configuration repositories. mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to segregate traffic to provide protection against adversaries attempting to obtain data from configuration repositories. mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to segregate traffic to provide protection against adversaries attempting to obtain data from configuration repositories. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Limit access to critical systems and domain controllers to provide protection against adversaries attempting to create accounts. mapping_type: mitigates references: [] - attack_object_id: T1136.002 attack_object_name: Domain Account capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Limit access to critical systems and domain controllers to provide protection against adversaries attempting to create accounts. mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Limit access to critical systems and domain controllers to provide protection against adversaries attempting to create accounts. mapping_type: mitigates references: [] - attack_object_id: T1613 attack_object_name: Container and Resource Discovery capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation to deny direct remote access to internal systems externally provides protection against adversaries attempting to discover resources in container environments. mapping_type: mitigates references: [] - attack_object_id: T1612 attack_object_name: Build Image on Host capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement protects against Build Image on Host through the use of network segmentation, firewalls, secure network configuration, defense-in-depth and access isolation principles. Employing defense-in-depth and access isolation principles provides protection against adversaries attempting to build image on host. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Isolate infrastructure components and blocking network traffic that is not necessary can mitigate, or at least alleviate, the scope of AiTM activity. mapping_type: mitigates references: [] - attack_object_id: T1557.001 attack_object_name: LLMNR/NBT-NS Poisoning and SMB Relay capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Isolate infrastructure components and blocking network traffic that is not necessary can mitigate, or at least alleviate, the scope of AiTM activity. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing proper network segmentation limits access to critical systems and domain controllers. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing proper network segmentation limits access to critical systems and domain controllers. mapping_type: mitigates references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network filtering, defense-in-depth, and access isolation principles provides protection against adversaries attempting to obtain credentials and other sensitive data. mapping_type: mitigates references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Isolate infrastructure components and blocking network traffic that is not necessary can mitigate, or at least alleviate, the scope of AiTM activity. mapping_type: mitigates references: [] - attack_object_id: T1557.003 attack_object_name: DHCP Spoofing capability_description: Network segmentation capability_group: PR.IR capability_id: PR.IR-01.01 comments: This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Isolate infrastructure components and blocking network traffic that is not necessary can mitigate, or at least alleviate, the scope of AiTM activity. mapping_type: mitigates references: [] - attack_object_id: T1102 attack_object_name: Web Service capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1104 attack_object_name: Multi-Stage Channels capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1008 attack_object_name: Fallback Channels capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1573 attack_object_name: Encrypted Channel capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1030 attack_object_name: Data Transfer Size Limits capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1599 attack_object_name: Network Boundary Bridging capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1020 attack_object_name: Automated Exfiltration capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1090.003 attack_object_name: Multi-hop Proxy capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1021.005 attack_object_name: VNC capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1021.002 attack_object_name: SMB/Windows Admin Shares capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1071.005 attack_object_name: Publish/Subscribe Protocols capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1071.004 attack_object_name: DNS capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1557.003 attack_object_name: DHCP Spoofing capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1557.001 attack_object_name: LLMNR/NBT-NS Poisoning and SMB Relay capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Utilization monitoring capability_group: PR.IR capability_id: PR.IR-04.01 comments: 'This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.' mapping_type: mitigates references: [] - attack_object_id: T1498.001 attack_object_name: Direct Network Flood capability_description: Availability and capacity management capability_group: PR.IR capability_id: PR.IR-04.02 comments: This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic and using ISP or third-party providers, enables blocking IP addresses and protocols used for transport. mapping_type: mitigates references: [] - attack_object_id: T1498.002 attack_object_name: Reflection Amplification capability_description: Availability and capacity management capability_group: PR.IR capability_id: PR.IR-04.02 comments: This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport. mapping_type: mitigates references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Availability and capacity management capability_group: PR.IR capability_id: PR.IR-04.02 comments: This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport. mapping_type: mitigates references: [] - attack_object_id: T1499.004 attack_object_name: Application or System Exploitation capability_description: Availability and capacity management capability_group: PR.IR capability_id: PR.IR-04.02 comments: This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport. mapping_type: mitigates references: [] - attack_object_id: T1499.003 attack_object_name: Application Exhaustion Flood capability_description: Availability and capacity management capability_group: PR.IR capability_id: PR.IR-04.02 comments: This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to exploit software vulnerabilities that can cause an application or system to crash. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport. mapping_type: mitigates references: [] - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: Availability and capacity management capability_group: PR.IR capability_id: PR.IR-04.02 comments: This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport. mapping_type: mitigates references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Availability and capacity management capability_group: PR.IR capability_id: PR.IR-04.02 comments: This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport. mapping_type: mitigates references: [] - attack_object_id: T1561.002 attack_object_name: Disk Structure Wipe capability_description: Availability and capacity management capability_group: PR.IR capability_id: PR.IR-04.02 comments: This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to corrupt or wipe the disk data structures on a hard drive. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information. mapping_type: mitigates references: [] - attack_object_id: T1561.001 attack_object_name: Disk Content Wipe capability_description: Availability and capacity management capability_group: PR.IR capability_id: PR.IR-04.02 comments: This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to erase contents of storage devices on systems and networks. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information. mapping_type: mitigates references: [] - attack_object_id: T1561 attack_object_name: Disk Wipe capability_description: Availability and capacity management capability_group: PR.IR capability_id: PR.IR-04.02 comments: This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to render stored data on local and remote drives via encryption. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information. mapping_type: mitigates references: [] - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Availability and capacity management capability_group: PR.IR capability_id: PR.IR-04.02 comments: This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to wiping disk data on system and network resources. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information. mapping_type: mitigates references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Availability and capacity management capability_group: PR.IR capability_id: PR.IR-04.02 comments: This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by destroying data files. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information. Additionally, the use of multi-factor authentication serves as an effective measure to restrict unauthorized access to credentials, thereby reducing the risk of data destruction. mapping_type: mitigates references: [] - attack_object_id: T1498.002 attack_object_name: Reflection Amplification capability_description: Time services and synchronization capability_group: PR.PS capability_id: PR.PS-01.04 comments: NTP amplification is a specialized form of distributed denial-of-service (DDoS) reflection amplification attacks that exploits the Network Time Protocol (NTP) to overwhelm victims with high volumes of traffic. This diagnostic statement describes practice guidance to secure and manage time synchronization infrastructure. To mitigate this technique under best practice guidance, consider patching NTP Software to remove dangerous amplifying commands like monlist; enable authentication for NTP changes to mitigate anonymous abuse; filtering of inbound UDP port 123 prevents reception of NTP; limit access to NTP servers to just authorized hots rather than global organizational access to prevent potential wide-spread abuse of DDoS reflection attacks. mapping_type: mitigates references: [] - attack_object_id: T1070.006 attack_object_name: Timestomp capability_description: Time services and synchronization capability_group: PR.PS capability_id: PR.PS-01.04 comments: The ATT&CK technique T1070.006 involves adversaries modifying file timestamps to evade detection or forensic analysis. The diagnostic statement describes maintaining and securing accurate and synchronized time values across systems. Organizations can mitigate this technique through the use of secure and authenticated time synchronization protocols (e.g., NTP with authentication) to prevent adversaries from tampering with time values of files and artifacts. mapping_type: mitigates references: [] - attack_object_id: T1497.003 attack_object_name: Time Based Evasion capability_description: Time services and synchronization capability_group: PR.PS capability_id: PR.PS-01.04 comments: 'The diagnostic statement focuses on the importance of maintaining and securing the accurate and synchronized time values across systems. The ATT&CK technique T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion involves adversaries using time-based evasion methods to detect or bypass virtualization or sandbox environments. Organizations can mitigate these methods by ensuring time integrity, accurate time synchronization, and hardening time services across virtualized and sandbox environments.' mapping_type: mitigates references: [] - attack_object_id: T1547.003 attack_object_name: Time Providers capability_description: Time services and synchronization capability_group: PR.PS capability_id: PR.PS-01.04 comments: 'The diagnostic statement focuses on the importance of maintaining accurate and resilient time synchronization across systems. By ensuring that time services are designed with security and reliability in mind, organizations reduce the risk of adversaries tampering with time provider components or disrupting time synchronization processes described in the Boot or Logon Autostart Execution: Time Providers technique.' mapping_type: mitigates references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Periodically checking the integrity of images and containers used in virtualized deployments to ensure they have not been modified to include malicious software may aid in mitigating this type of adversary technique. mapping_type: mitigates references: [] - attack_object_id: T1612 attack_object_name: Build Image on Host capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. Mitigating mechanisms such as network segmentation, limiting access to resources over the network, and privileged account management may aid in limiting malicious images with direct remote access to internal systems through the use of network proxies, gateways, privileged accounts, and firewalls. mapping_type: mitigates references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. They may delete virtual machines from on-prem virtualized environments. For example, implementing multi-factor authentication (MFA) delete for cloud storage resources, such as AWS S3 buckets, to prevent unauthorized deletion of critical data and infrastructure. mapping_type: mitigates references: [] - attack_object_id: T1204.003 attack_object_name: Malicious Image capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may rely on a user running a malicious image to facilitate execution. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the virtualized instance or container. Mitigating controls such as execution prevention, NIPS, EDRs and behavior prevention on endpoints may provide mitigating mechanisms to prevent the running of executables coming from virtualized machines onto the host or network. mapping_type: mitigates references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may rely on a user running a malicious image to facilitate execution. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the virtualized instance or container. Mitigating controls such as execution prevention, NIPS, EDRs and behavior prevention on endpoints may provide mitigating mechanisms to prevent the running of executables coming from virtualized machines onto the host or network. mapping_type: mitigates references: [] - attack_object_id: T1578.005 attack_object_name: Modify Cloud Compute Configurations capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components. mapping_type: mitigates references: [] - attack_object_id: T1578.004 attack_object_name: Revert Cloud Instance capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components. mapping_type: mitigates references: [] - attack_object_id: T1578.003 attack_object_name: Delete Cloud Instance capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components. mapping_type: mitigates references: [] - attack_object_id: T1578.002 attack_object_name: Create Cloud Instance capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components. mapping_type: mitigates references: [] - attack_object_id: T1578.001 attack_object_name: Create Snapshot capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components. mapping_type: mitigates references: [] - attack_object_id: T1578 attack_object_name: Modify Cloud Compute Infrastructure capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components. mapping_type: mitigates references: [] - attack_object_id: T1564.006 attack_object_name: Run Virtual Instance capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may carry out malicious operations using a virtual instance to avoid detection. After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system. To aid in mitigating this technique, consider using application control mechanisms to mitigate installation and use of unapproved virtualization software, shared folders not necessary within a given environment, and periodically audit virtual machines for abnormalities. mapping_type: mitigates references: [] - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. To help with mitigating this technique, consider limiting the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. mapping_type: mitigates references: [] - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. mapping_type: mitigates references: [] - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. mapping_type: mitigates references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. mapping_type: mitigates references: [] - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. Application isolation will limit what other processes and system features the exploited target can access, thus aiding with mitigations related to exploiting public facing applications. mapping_type: mitigates references: [] - attack_object_id: T1027.006 attack_object_name: HTML Smuggling capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes this technique, browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. mapping_type: mitigates references: [] - attack_object_id: T1611 attack_object_name: Escape to Host capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. For the Escape to Host technique, consider utilizing solutions that restricts certain system calls such as mount from the virtualized machine to the host. In Kubernetes environments, consider defining Pod Security Standards that limit container access to host process namespaces, the host network, and the host file system. mapping_type: mitigates references: [] - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Virtualized end point protection capability_group: PR.PS capability_id: PR.PS-01.09 comments: The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to the Drive-By-Compromise, browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. Other types of virtualization and application micro-segmentation may also mitigate the impact of client-side exploitation from the virtualized machine. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services. mapping_type: mitigates references: [] - attack_object_id: T1021.003 attack_object_name: Distributed Component Object Model capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services. mapping_type: mitigates references: [] - attack_object_id: T1021.005 attack_object_name: VNC capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services. mapping_type: mitigates references: [] - attack_object_id: T1021.006 attack_object_name: Windows Remote Management capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of alternate protocols to exfiltrate data. mapping_type: mitigates references: [] - attack_object_id: T1048.001 attack_object_name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of alternate protocols to exfiltrate data. mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of alternate protocols to exfiltrate data. mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of alternate protocols to exfiltrate data. mapping_type: mitigates references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of application layer protocols. mapping_type: mitigates references: [] - attack_object_id: T1071.005 attack_object_name: Publish/Subscribe Protocols capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of application layer protocols. mapping_type: mitigates references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of non-application layer protocols. mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversaries from leveraging externally-facing remote services to initially access and/or persist within a network. mapping_type: mitigates references: [] - attack_object_id: T1187 attack_object_name: Forced Authentication capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversaries from obtaining credentials through forced authentication. mapping_type: mitigates references: [] - attack_object_id: T1197 attack_object_name: BITS Jobs capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to to only allow legitimate BITS traffic can mitigate adversary abuse of BITS Jobs. mapping_type: mitigates references: [] - attack_object_id: T1218.012 attack_object_name: Verclsid capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic can help to mitigate this technique. mapping_type: mitigates references: [] - attack_object_id: T1219 attack_object_name: Remote Access Software capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic can mitigate adversary abuse of remote access software. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing IP-based restrictions for accessing cloud resources can mitigate adversary access to data in cloud storage. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing network-based filtering restrictions can mitigate data transfers to untrusted VPCs. mapping_type: mitigates references: [] - attack_object_id: T1542 attack_object_name: Pre-OS Boot capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit access can mitigate adversary abuse of pre-OS boot mechanisms. mapping_type: mitigates references: [] - attack_object_id: T1542.005 attack_object_name: TFTP Boot capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions on untrusted network sources can mitigate adversary abuse of TFTP boot (netbooting). mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions that limit network access and communications with services can prevent adversaries from finding stored credentials. mapping_type: mitigates references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions that limit network access and communications with services can prevent adversaries from finding stored credentials. mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions that limit network access and communications with services can prevent adversaries from finding stored credentials. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can prevent leveraging for AiTM conditions. mapping_type: mitigates references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can prevent leveraging for AiTM conditions. mapping_type: mitigates references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit access can prevent RDP hijacking. mapping_type: mitigates references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic to untrusted or known bad domains and resources can prevent tunnelling of network communications. mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing extended ACLs to block unauthorized protocols can mitigate adversary access to data in configuration repositories. mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing extended ACLs to block unauthorized protocols can mitigate adversary access to data in configuration repositories. mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing extended ACLs to block unauthorized protocols can mitigate adversary access to data in configuration repositories. mapping_type: mitigates references: [] - attack_object_id: T1609 attack_object_name: Container Administration Command capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversary abuse of container administration. mapping_type: mitigates references: [] - attack_object_id: T1612 attack_object_name: Build Image on Host capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversaries from building container images on hosts. mapping_type: mitigates references: [] - attack_object_id: T1613 attack_object_name: Container and Resource Discovery capability_description: Network device configurations capability_group: PR.IR capability_id: PR.IR-01.02 comments: This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversaries from discovering resources in container environments. mapping_type: mitigates references: [] - attack_object_id: T1001 attack_object_name: Data Obfuscation capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Data Obfuscation through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1001.001 attack_object_name: Junk Data capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Junk Data through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1001.002 attack_object_name: Steganography capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Steganography through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1001.003 attack_object_name: Protocol or Service Impersonation capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Protocol or Service Impersonation through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1008 attack_object_name: Fallback Channels capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Fallback Channels through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Remote Services through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Remote Desktop Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1021.002 attack_object_name: SMB/Windows Admin Shares capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against SMB/Windows Admin Shares through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1021.005 attack_object_name: VNC capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against VNC through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1029 attack_object_name: Scheduled Transfer capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Scheduled Transfer through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1030 attack_object_name: Data Transfer Size Limits capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Data Transfer Size Limits through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Exfiltration Over C2 Channel through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Network Service Discovery through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1048.001 attack_object_name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Exfiltration Over Symmetric Encrypted Non-C2 Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Exfiltration Over Asymmetric Encrypted Non-C2 Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Exfiltration Over Unencrypted Non-C2 Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Application Layer Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Web Protocols through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1071.002 attack_object_name: File Transfer Protocols capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against File Transfer Protocols through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1071.003 attack_object_name: Mail Protocols capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Mail Protocols through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1071.004 attack_object_name: DNS capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against DNS through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1071.005 attack_object_name: Publish/Subscribe Protocols capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Publish/Subscribe Protocols through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1090.001 attack_object_name: Internal Proxy capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Internal Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1090.002 attack_object_name: External Proxy capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against External Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1090.003 attack_object_name: Multi-hop Proxy capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Multi-hop Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Non-Application Layer Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1102 attack_object_name: Web Service capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Web Service through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1102.001 attack_object_name: Dead Drop Resolver capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Dead Drop Resolver through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1102.002 attack_object_name: Bidirectional Communication capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Bidirectional Communication through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1102.003 attack_object_name: One-Way Communication capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against One-Way Communication through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1104 attack_object_name: Multi-Stage Channels capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Multi-Stage Channels through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Ingress Tool Transfer through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1132 attack_object_name: Data Encoding capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Data Encoding through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1132.001 attack_object_name: Standard Encoding capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Standard Encoding through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1132.002 attack_object_name: Non-Standard Encoding capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Non-Standard Encoding through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against External Remote Services through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1187 attack_object_name: Forced Authentication capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Forced Authentication through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1197 attack_object_name: BITS Jobs capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against BITS Jobs through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1200 attack_object_name: Hardware Additions capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Hardware Additions through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1204 attack_object_name: User Execution capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against User Execution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Malicious Link through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1204.003 attack_object_name: Malicious Image capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Malicious Image through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1205 attack_object_name: Traffic Signaling capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Traffic Signaling through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1205.001 attack_object_name: Port Knocking capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Port Knocking through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1205.002 attack_object_name: Socket Filters capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Socket Filters through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1218 attack_object_name: System Binary Proxy Execution capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against System Binary Proxy Execution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1218.012 attack_object_name: Verclsid capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Verclsid through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1219 attack_object_name: Remote Access Software capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Remote Access Software through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1221 attack_object_name: Template Injection capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Template Injection through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Network Denial of Service through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1498.001 attack_object_name: Direct Network Flood capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Direct Network Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1498.002 attack_object_name: Reflection Amplification capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Reflection Amplification through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Endpoint Denial of Service through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1499.001 attack_object_name: OS Exhaustion Flood capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against OS Exhaustion Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Service Exhaustion Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1499.003 attack_object_name: Application Exhaustion Flood capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Application Exhaustion Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1499.004 attack_object_name: Application or System Exploitation capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Application or System Exploitation through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Data from Cloud Storage through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Transfer Data to Cloud Account through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1542 attack_object_name: Pre-OS Boot capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Pre-OS Boot through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1542.004 attack_object_name: ROMMONkit capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against ROMMONkit through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1542.005 attack_object_name: TFTP Boot capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against TFTP Boot through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Event Triggered Execution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1546.008 attack_object_name: Accessibility Features capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Accessibility Features through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Unsecured Credentials through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Cloud Instance Metadata API through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Container API through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Adversary-in-the-Middle through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1557.001 attack_object_name: LLMNR/NBT-NS Poisoning and SMB Relay capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against LLMNR/NBT-NS Poisoning and SMB Relay through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against ARP Cache Poisoning through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1557.003 attack_object_name: DHCP Spoofing capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against DHCP Spoofing through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1557.004 attack_object_name: Evil Twin capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Evil Twin through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Remote Service Session Hijacking through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against RDP Hijacking through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Phishing through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Spearphishing Attachment through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1568 attack_object_name: Dynamic Resolution capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Dynamic Resolution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1568.002 attack_object_name: Domain Generation Algorithms capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Domain Generation Algorithms through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1570 attack_object_name: Lateral Tool Transfer capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Lateral Tool Transfer through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Non-Standard Port through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Protocol Tunneling through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1573 attack_object_name: Encrypted Channel capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Encrypted Channel through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1573.001 attack_object_name: Symmetric Cryptography capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Symmetric Cryptography through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1573.002 attack_object_name: Asymmetric Cryptography capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Asymmetric Cryptography through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1599 attack_object_name: Network Boundary Bridging capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Network Boundary Bridging through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1599.001 attack_object_name: Network Address Translation Traversal capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Network Address Translation Traversal through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Data from Configuration Repository through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against SNMP (MIB Dump) through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Network Device Configuration Dump through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1609 attack_object_name: Container Administration Command capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Container Administration Command through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1610 attack_object_name: Deploy Container capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Deploy Container through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1612 attack_object_name: Build Image on Host capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Build Image on Host through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1613 attack_object_name: Container and Resource Discovery capability_description: Network communications integrity and availability capability_group: PR.IR capability_id: PR.IR-01.03 comments: This diagnostic statement protects against Container and Resource Discovery through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1021.002 attack_object_name: SMB/Windows Admin Shares capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1021.003 attack_object_name: Distributed Component Object Model capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1048.001 attack_object_name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1200 attack_object_name: Hardware Additions capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1570 attack_object_name: Lateral Tool Transfer capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1573 attack_object_name: Encrypted Channel capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1573.001 attack_object_name: Symmetric Cryptography capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1573.002 attack_object_name: Asymmetric Cryptography capability_description: Wireless network protection capability_group: PR.IR capability_id: PR.IR-01.04 comments: This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1542 attack_object_name: Pre-OS Boot capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1542.005 attack_object_name: TFTP Boot capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1546.003 attack_object_name: Windows Management Instrumentation Event Subscription capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1552.002 attack_object_name: Credentials in Registry capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1556.001 attack_object_name: Domain Controller Authentication capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1609 attack_object_name: Container Administration Command capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1611 attack_object_name: Escape to Host capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1612 attack_object_name: Build Image on Host capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1621 attack_object_name: Multi-Factor Authentication Request Generation capability_description: Remote access protection capability_group: PR.IR capability_id: PR.IR-01.05 comments: This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1021.002 attack_object_name: SMB/Windows Admin Shares capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1021.003 attack_object_name: Distributed Component Object Model capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1021.006 attack_object_name: Windows Remote Management capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1059.008 attack_object_name: Network Device CLI capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1098.002 attack_object_name: Additional Email Delegate Permissions capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1134 attack_object_name: Access Token Manipulation capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1218 attack_object_name: System Binary Proxy Execution capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1218.007 attack_object_name: Msiexec capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1495 attack_object_name: Firmware Corruption capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1505.004 attack_object_name: IIS Components capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1542 attack_object_name: Pre-OS Boot capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1542.001 attack_object_name: System Firmware capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1542.003 attack_object_name: Bootkit capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1543.002 attack_object_name: Systemd Service capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1546.008 attack_object_name: Accessibility Features capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1547.006 attack_object_name: Kernel Modules and Extensions capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1548.006 attack_object_name: TCC Manipulation capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1550.003 attack_object_name: Pass the Ticket capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1553 attack_object_name: Subvert Trust Controls capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1553.006 attack_object_name: Code Signing Policy Modification capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1557.001 attack_object_name: LLMNR/NBT-NS Poisoning and SMB Relay capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1559 attack_object_name: Inter-Process Communication capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1559.001 attack_object_name: Component Object Model capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1606.002 attack_object_name: SAML Tokens capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1609 attack_object_name: Container Administration Command capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1611 attack_object_name: Escape to Host capability_description: Production environment segregation capability_group: PR.IR capability_id: PR.IR-01.06 comments: This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. mapping_type: mitigates references: [] - attack_object_id: T1547.006 attack_object_name: Kernel Modules and Extensions capability_description: End-user device access capability_group: PR.IR capability_id: PR.IR-01.08 comments: "This diagnostic statement implements technical controls (e.g., VPN, antivirus\ \ software) to address the risks of end-user personal computing devices accessing\ \ the organization\u2019s network and resources." mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Least functionality capability_group: PR.PS capability_id: PR.PS-01.02 comments: This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques. mapping_type: mitigates references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Third-party monitoring and management resources capability_group: EX.MM capability_id: EX.MM-01.01 comments: This diagnostic statement provides for the implementation of procedures for management of third party products. Managing accounts and permissions used by parties in trusted relationships helps minimize potential abuse by the party or if the party is compromised by an adversary. mapping_type: mitigates references: [] - attack_object_id: T1525 attack_object_name: Implant Internal Image capability_description: Third-party monitoring and management resources capability_group: EX.MM capability_id: EX.MM-01.01 comments: This diagnostic statement provides for the implementation of procedures for management of third party products such as ensuring cloud service providers support content trust models that require container images be signed by trusted source. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Third-party monitoring and management resources capability_group: EX.MM capability_id: EX.MM-01.01 comments: This diagnostic statement provides for the implementation of procedures for management of third party products such as cloud storage solutions. mapping_type: mitigates references: [] - attack_object_id: T1195.003 attack_object_name: Compromise Hardware Supply Chain capability_description: Third-party monitoring and management resources capability_group: EX.MM capability_id: EX.MM-01.01 comments: This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products. mapping_type: mitigates references: [] - attack_object_id: T1601 attack_object_name: Modify System Image capability_description: Third-party monitoring and management resources capability_group: EX.MM capability_id: EX.MM-01.01 comments: This diagnostic statement provides for the implementation of procedures for management of third party products such as vendor provided digitally signed operating system images to validate the integrity of the software used on their platform. mapping_type: mitigates references: [] - attack_object_id: T1601.001 attack_object_name: Patch System Image capability_description: Third-party monitoring and management resources capability_group: EX.MM capability_id: EX.MM-01.01 comments: This diagnostic statement provides for the implementation of procedures for management of third party products such as vendor provided digitally signed operating system images to validate the integrity of the software used on their platform. mapping_type: mitigates references: [] - attack_object_id: T1601.002 attack_object_name: Downgrade System Image capability_description: Third-party monitoring and management resources capability_group: EX.MM capability_id: EX.MM-01.01 comments: This diagnostic statement provides for the implementation of procedures for management of third party products such as vendor provided digitally signed operating system images to validate the integrity of the software used on their platform. mapping_type: mitigates references: [] - attack_object_id: T1554 attack_object_name: Compromise Host Software Binary capability_description: Third-party monitoring and management resources capability_group: EX.MM capability_id: EX.MM-01.01 comments: This diagnostic statement provides for the implementation of procedures for management of third party products such as ensuring the authenticity and integrity of software. mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Third-party monitoring and management resources capability_group: EX.MM capability_id: EX.MM-01.01 comments: This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products. mapping_type: mitigates references: [] - attack_object_id: T1195.002 attack_object_name: Compromise Software Supply Chain capability_description: Third-party monitoring and management resources capability_group: EX.MM capability_id: EX.MM-01.01 comments: This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products. mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: Third-party monitoring and management resources capability_group: EX.MM capability_id: EX.MM-01.01 comments: This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products. mapping_type: mitigates references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement prevents adversaries from manipulating data that is in transit. Encrypting and/or obfuscating data can be used to protect sensitive data from being accessed by adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement prevents adversaries from manipulating data at rest. storing data remotely can be used to properly manage data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1114.001 attack_object_name: Local Email Collection capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement prevents adversaries from manipulating emails and having the ability to collect sensitive data (PII) from users. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1070.008 attack_object_name: Clear Mailbox Data capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: Storing data remotely can be used to properly manage data so that adversaries won't be able to modify mail and mail application data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1070.002 attack_object_name: Clear Linux or Mac System Logs capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: Utilizing methods that can obfuscate and/or encrypt event files locally and in transit can prevent adversaries from clearing system logs and feeding them to adversaries. Also, storing data remotely can be used to properly manage data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: Storing data remotely can be used to properly manage data so that adversaries won't be able to interfere with processes used to detect intrusion activities. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1003.003 attack_object_name: NTDS capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via Active Directory domain databases. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1558.005 attack_object_name: Ccache Files capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and abusing Kerberos by stealing tickets in credential cache files. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and abusing Kerberos by stealing tickets to enforce unauthorized access. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1557.004 attack_object_name: Evil Twin capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and enticing users to connecting to malicious networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement prevents adversaries from being able to steal data in transit between networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1552.004 attack_object_name: Private Keys capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via private key certificate files. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement prevents adversaries from being able to steal application access token by bypassing regular authentication methods and accessing restricting accounts and user credentials. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement prevents adversaries from being able to manipulate mechanisms to gain access to user's higher-level permissions and control elevated privileges. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement prevents adversaries from collecting sensitive data from cloud storage solutions, such as Amazon S3, Azure, Storage, and Google Cloud. Permissions on cloud storage should be frequently checked and encrypting sensitive data in the cloud should be managed properly. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1213.004 attack_object_name: Customer Relationship Management Software capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement prevents adversaries from leveraging sensitive (PII) data from customer relationship management software by sending phishing emails or targeting organization's customers in ways that enable financial gain. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement prevents adversaries from using automated techniques for collecting internal data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1114.003 attack_object_name: Email Forwarding Rule capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. It also prevents adversaries from abusing email forwarding rules. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. It also prevents adversaries from manipulating data via exchange server, Office 365, or Google Workspace from trying to collect sensitive information. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. here may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1070.001 attack_object_name: Clear Windows Event Logs capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement protects data from being easily manipulated by adversaries that try to clear Windows event logs by intruding different activities. Encrypting files locally and in transit shall avoid giving data to an adversary. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement protects data from being easily manipulated by adversaries due to network sniffing while authentication material is being passed over networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1020.001 attack_object_name: Traffic Duplication capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement protects data from being exfiltrated from adversaries via traffic monitoring. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Data destruction procedures capability_group: ID.AM capability_id: ID.AM-08.05 comments: This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques. mapping_type: mitigates references: [] - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against OS Credential Dumping through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1003.001 attack_object_name: LSASS Memory capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against LSASS Memory through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1003.002 attack_object_name: Security Account Manager capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Security Account Manager through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1003.003 attack_object_name: NTDS capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against NTDS through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1003.004 attack_object_name: LSA Secrets capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against LSA Secrets through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1003.005 attack_object_name: Cached Domain Credentials capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Cached Domain Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1003.006 attack_object_name: DCSync capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against DCSync through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1003.007 attack_object_name: Proc Filesystem capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Proc Filesystem through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1003.008 attack_object_name: /etc/passwd and /etc/shadow capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against /etc/passwd and /etc/shadow through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1006 attack_object_name: Direct Volume Access capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Direct Volume Access through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1020.001 attack_object_name: Traffic Duplication capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Traffic Duplication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Remote Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Remote Desktop Protocol through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1021.002 attack_object_name: SMB/Windows Admin Shares capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against SMB/Windows Admin Shares through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1021.004 attack_object_name: SSH capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against SSH through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Cloud Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1021.008 attack_object_name: Direct Cloud VM Connections capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Direct Cloud VM Connections through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Masquerading through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1036.010 attack_object_name: Masquerade Account Name capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Masquerade Account Name through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Network Sniffing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Windows Management Instrumentation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1053 attack_object_name: Scheduled Task/Job capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Scheduled Task/Job through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1053.002 attack_object_name: At capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against At through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1053.003 attack_object_name: Cron capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Cron through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1053.005 attack_object_name: Scheduled Task capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Scheduled Task through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1053.006 attack_object_name: Systemd Timers capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Systemd Timers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1053.007 attack_object_name: Container Orchestration Job capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Container Orchestration Job through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Command and Scripting Interpreter through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1059.008 attack_object_name: Network Device CLI capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Network Device CLI through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Software Deployment Tools through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Valid Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1078.001 attack_object_name: Default Accounts capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Default Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1078.002 attack_object_name: Domain Accounts capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Domain Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Local Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Cloud Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Account Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1087.004 attack_object_name: Cloud Account capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Account Manipulation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Additional Cloud Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.002 attack_object_name: Additional Email Delegate Permissions capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Additional Email Delegate Permissions through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Additional Cloud Roles through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.004 attack_object_name: SSH Authorized Keys capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against SSH Authorized Keys through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.005 attack_object_name: Device Registration capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Device Registration through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.006 attack_object_name: Additional Container Cluster Roles capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Additional Container Cluster Roles through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Brute Force through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Password Guessing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Password Cracking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Password Spraying through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Credential Stuffing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Email Collection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Remote Email Collection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against External Remote Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1134 attack_object_name: Access Token Manipulation capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Access Token Manipulation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1134.001 attack_object_name: Token Impersonation/Theft capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Token Impersonation/Theft through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1134.002 attack_object_name: Create Process with Token capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Create Process with Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1134.003 attack_object_name: Make and Impersonate Token capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Make and Impersonate Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1134.005 attack_object_name: SID-History Injection capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against SID-History Injection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1136 attack_object_name: Create Account capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Create Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1136.001 attack_object_name: Local Account capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Local Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1136.002 attack_object_name: Domain Account capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Domain Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1185 attack_object_name: Browser Session Hijacking capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Browser Session Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1187 attack_object_name: Forced Authentication capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Forced Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Supply Chain Compromise through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1197 attack_object_name: BITS Jobs capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against BITS Jobs through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Trusted Relationship through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1201 attack_object_name: Password Policy Discovery capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Password Policy Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Data from Information Repositories through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1213.001 attack_object_name: Confluence capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Confluence through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Sharepoint through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1213.003 attack_object_name: Code Repositories capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Code Repositories through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1213.004 attack_object_name: Customer Relationship Management Software capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Customer Relationship Management Software through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Domain or Tenant Policy Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1484.001 attack_object_name: Group Policy Modification capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Group Policy Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Trust Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Data Destruction through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1485.001 attack_object_name: Lifecycle-Triggered Deletion capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Lifecycle-Triggered Deletion through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1489 attack_object_name: Service Stop capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Service Stop through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Inhibit System Recovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Server Software Component through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Web Shell through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Steal Application Access Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Data from Cloud Storage through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Transfer Data to Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1538 attack_object_name: Cloud Service Dashboard capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Cloud Service Dashboard through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Steal Web Session Cookie through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Create or Modify System Process through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1543.002 attack_object_name: Systemd Service capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Systemd Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1543.003 attack_object_name: Windows Service capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Windows Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1543.004 attack_object_name: Launch Daemon capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Launch Daemon through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1543.005 attack_object_name: Container Service capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Container Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Event Triggered Execution through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1546.003 attack_object_name: Windows Management Instrumentation Event Subscription capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Windows Management Instrumentation Event Subscription through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1546.011 attack_object_name: Application Shimming capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Application Shimming through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Boot or Logon Autostart Execution through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1547.004 attack_object_name: Winlogon Helper DLL capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Winlogon Helper DLL through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1547.006 attack_object_name: Kernel Modules and Extensions capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Kernel Modules and Extensions through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1547.009 attack_object_name: Shortcut Modification capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Shortcut Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1547.012 attack_object_name: Print Processors capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Print Processors through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1547.013 attack_object_name: XDG Autostart Entries capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against XDG Autostart Entries through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Abuse Elevation Control Mechanism through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1548.002 attack_object_name: Bypass User Account Control capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Bypass User Account Control through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1548.005 attack_object_name: Temporary Elevated Cloud Access capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Temporary Elevated Cloud Access through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Use Alternate Authentication Material through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Application Access Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Pass the Hash through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1550.003 attack_object_name: Pass the Ticket capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Pass the Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Unsecured Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1552.001 attack_object_name: Credentials In Files capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Credentials In Files through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1552.002 attack_object_name: Credentials in Registry capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Credentials in Registry through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1552.004 attack_object_name: Private Keys capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Private Keys through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1552.006 attack_object_name: Group Policy Preferences capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Group Policy Preferences through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Container API through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Credentials from Password Stores through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1555.001 attack_object_name: Keychain capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Keychain through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1555.003 attack_object_name: Credentials from Web Browsers capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Credentials from Web Browsers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1555.005 attack_object_name: Password Managers capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Password Managers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Modify Authentication Process through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1556.001 attack_object_name: Domain Controller Authentication capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Domain Controller Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1556.003 attack_object_name: Pluggable Authentication Modules capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Pluggable Authentication Modules through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1556.004 attack_object_name: Network Device Authentication capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Network Device Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1556.005 attack_object_name: Reversible Encryption capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Reversible Encryption through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Multi-Factor Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Hybrid Identity through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1556.009 attack_object_name: Conditional Access Policies capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Conditional Access Policies through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1558.001 attack_object_name: Golden Ticket capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Golden Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1558.002 attack_object_name: Silver Ticket capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Silver Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Kerberoasting through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1558.004 attack_object_name: AS-REP Roasting capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against AS-REP Roasting through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Impair Defenses through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1562.001 attack_object_name: Disable or Modify Tools capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Disable or Modify Tools through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1562.002 attack_object_name: Disable Windows Event Logging capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Disable Windows Event Logging through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1562.004 attack_object_name: Disable or Modify System Firewall capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Disable or Modify System Firewall through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1562.006 attack_object_name: Indicator Blocking capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Indicator Blocking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1562.007 attack_object_name: Disable or Modify Cloud Firewall capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Disable or Modify Cloud Firewall through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1562.008 attack_object_name: Disable or Modify Cloud Logs capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Disable or Modify Cloud Logs through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1562.012 attack_object_name: Disable or Modify Linux Audit System capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Disable or Modify Linux Audit System through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Remote Service Session Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1563.001 attack_object_name: SSH Hijacking capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against SSH Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against RDP Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1566 attack_object_name: Phishing capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Phishing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Spearphishing Attachment through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Spearphishing Link through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1566.003 attack_object_name: Spearphishing via Service capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Spearphishing via Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1569 attack_object_name: System Services capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against System Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1569.001 attack_object_name: Launchctl capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Launchctl through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Hijack Execution Flow through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1574.005 attack_object_name: Executable Installer File Permissions Weakness capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Executable Installer File Permissions Weakness through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1574.010 attack_object_name: Services File Permissions Weakness capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Services File Permissions Weakness through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1574.012 attack_object_name: COR_PROFILER capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against COR_PROFILER through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1578 attack_object_name: Modify Cloud Compute Infrastructure capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Modify Cloud Compute Infrastructure through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1578.001 attack_object_name: Create Snapshot capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Create Snapshot through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1578.002 attack_object_name: Create Cloud Instance capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Create Cloud Instance through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1578.003 attack_object_name: Delete Cloud Instance capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Delete Cloud Instance through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1578.005 attack_object_name: Modify Cloud Compute Configurations capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Modify Cloud Compute Configurations through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1580 attack_object_name: Cloud Infrastructure Discovery capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Cloud Infrastructure Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1599 attack_object_name: Network Boundary Bridging capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Network Boundary Bridging through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1599.001 attack_object_name: Network Address Translation Traversal capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Network Address Translation Traversal through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1601 attack_object_name: Modify System Image capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Modify System Image through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1601.001 attack_object_name: Patch System Image capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Patch System Image through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1601.002 attack_object_name: Downgrade System Image capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Downgrade System Image through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Forge Web Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1606.002 attack_object_name: SAML Tokens capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against SAML Tokens through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1609 attack_object_name: Container Administration Command capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Container Administration Command through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1610 attack_object_name: Deploy Container capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Deploy Container through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1613 attack_object_name: Container and Resource Discovery capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Container and Resource Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1619 attack_object_name: Cloud Storage Object Discovery capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Cloud Storage Object Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1621 attack_object_name: Multi-Factor Authentication Request Generation capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Multi-Factor Authentication Request Generation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1648 attack_object_name: Serverless Execution capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Serverless Execution through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1649 attack_object_name: Steal or Forge Authentication Certificates capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Steal or Forge Authentication Certificates through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1654 attack_object_name: Log Enumeration capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Log Enumeration through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1657 attack_object_name: Financial Theft capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Financial Theft through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1666 attack_object_name: Modify Cloud Resource Hierarchy capability_description: Identity and credential management capability_group: PR.AA capability_id: PR.AA-01.01 comments: This diagnostic statement protects against Modify Cloud Resource Hierarchy through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. mapping_type: mitigates references: [] - attack_object_id: T1098.004 attack_object_name: SSH Authorized Keys capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: 'This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the SSH Authorized Keys technique, restricting user and application access to the authorized_keys file can be a mitigating factor for adversaries attempting to modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. ' mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: 'This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the Unsecured Credentials technique, best practice dictates that when possible, store keys on separate cryptographic hardware instead of on the local system to mitigate data theft of credentials stored in unsecure locations. ' mapping_type: mitigates references: [] - attack_object_id: T1563.001 attack_object_name: SSH Hijacking capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: 'This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the SSH Hijacking technique, consider that SSH key pairs possess strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected. ' mapping_type: mitigates references: [] - attack_object_id: T1552.004 attack_object_name: Private Keys capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standard as it applies to the Private Keys technique, when possible, consider storing keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material. mapping_type: mitigates references: [] - attack_object_id: T1558.004 attack_object_name: AS-REP Roasting capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets through AS-REP Roasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. mapping_type: mitigates references: [] - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with kerberoasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. mapping_type: mitigates references: [] - attack_object_id: T1558.002 attack_object_name: Silver Ticket capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with silver tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. mapping_type: mitigates references: [] - attack_object_id: T1649 attack_object_name: Steal or Forge Authentication Certificates capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: 'This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of authentication certificates, ensure certificates as well as associated private keys are appropriately secured. ' mapping_type: mitigates references: [] - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. mapping_type: mitigates references: [] - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of network sniffing, ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. mapping_type: mitigates references: [] - attack_object_id: T1070.002 attack_object_name: Clear Linux or Mac System Logs capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the removal of Linux or Mac System Logs, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. mapping_type: mitigates references: [] - attack_object_id: T1070.001 attack_object_name: Clear Windows Event Logs capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to windows event logs removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. mapping_type: mitigates references: [] - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to indicator removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. mapping_type: mitigates references: [] - attack_object_id: T1114.001 attack_object_name: Local Email Collection capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services. mapping_type: mitigates references: [] - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services. mapping_type: mitigates references: [] - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. mapping_type: mitigates references: [] - attack_object_id: T1565.002 attack_object_name: Transmitted Data Manipulation capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: 'This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to transmitted data manipulation, encrypt all important data flows to reduce the impact of tailored modifications on data in transit. ' mapping_type: mitigates references: [] - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: "This diagnostic statement is associated with employing strong encryption\ \ methods to mitigate unauthorized access or theft of data that protect the confidentiality\ \ and integrity of data-at-rest, data-in-use, and data-in-transit. To address\ \ threats to stored data manipulation, consider encrypting important information\ \ to reduce an adversary\u2019s ability to perform tailored data modifications." mapping_type: mitigates references: [] - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: "This diagnostic statement is associated with employing strong encryption\ \ methods to mitigate unauthorized access or theft of data that protect the confidentiality\ \ and integrity of data-at-rest, data-in-use, and data-in-transit. To address\ \ threats to data manipulation, consider encrypting important information to reduce\ \ an adversary\u2019s ability to perform tailored data modifications." mapping_type: mitigates references: [] - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to data from information repositories, encrypt data stored at rest in databases. mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: 'This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of Network Device Configuration Dump, configure SNMPv3 to use the highest level of security (authPriv) available. ' mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: 'This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of SNMP (MIB Dump), configure SNMPv3 to use the highest level of security (authPriv) available. ' mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: 'This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of data collection from configuration repository, configure SNMPv3 to use the highest level of security (authPriv) available. ' mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address data collection from cloud storage, encrypt data stored at rest in cloud storage. Managed encryption keys can be rotated by most providers. At a minimum, ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications. mapping_type: mitigates references: [] - attack_object_id: T1659 attack_object_name: Content Injection capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Content Injection threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS. mapping_type: mitigates references: [] - attack_object_id: T1020.001 attack_object_name: Traffic Duplication capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: 'This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Automated Exfiltration: Traffic Duplication threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.' mapping_type: mitigates references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address ARP Cache Poisoning, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Encryption standards capability_group: PR.PS capability_id: PR.PS-01.05 comments: This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address adversary-in-the-middle threats, the organization ensures that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS. mapping_type: mitigates references: [] - attack_object_id: T1021 attack_object_name: Remote Services capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Remote Services through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Remote Desktop Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1021.002 attack_object_name: SMB/Windows Admin Shares capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against SMB/Windows Admin Shares through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1021.005 attack_object_name: VNC capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against VNC through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Obfuscated Files or Information through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1027.002 attack_object_name: Software Packing capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Software Packing through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1027.009 attack_object_name: Embedded Payloads capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Embedded Payloads through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1027.010 attack_object_name: Command Obfuscation capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Command Obfuscation through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1027.012 attack_object_name: LNK Icon Smuggling capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against LNK Icon Smuggling through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1027.013 attack_object_name: Encrypted/Encoded File capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Encrypted/Encoded File through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1027.014 attack_object_name: Polymorphic Code capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Polymorphic Code through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1036 attack_object_name: Masquerading capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Masquerading through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1036.008 attack_object_name: Masquerade File Type capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Masquerade File Type through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1048.001 attack_object_name: Exfiltration Over Symmetric Encrypted Non-C2 Protocol capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Exfiltration Over Symmetric Encrypted Non-C2 Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1048.002 attack_object_name: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Exfiltration Over Asymmetric Encrypted Non-C2 Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Exfiltration Over Unencrypted Non-C2 Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1052 attack_object_name: Exfiltration Over Physical Medium capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Exfiltration Over Physical Medium through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1052.001 attack_object_name: Exfiltration over USB capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Exfiltration over USB through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Command and Scripting Interpreter through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against PowerShell through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1059.005 attack_object_name: Visual Basic capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Visual Basic through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1059.006 attack_object_name: Python capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Python through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Application Layer Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1071.004 attack_object_name: DNS capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against DNS through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1071.005 attack_object_name: Publish/Subscribe Protocols capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Publish/Subscribe Protocols through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Taint Shared Content through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1090 attack_object_name: Proxy capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Proxy through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1090.003 attack_object_name: Multi-hop Proxy capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Multi-hop Proxy through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1091 attack_object_name: Replication Through Removable Media capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Replication Through Removable Media through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1095 attack_object_name: Non-Application Layer Protocol capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Non-Application Layer Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against External Remote Services through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1187 attack_object_name: Forced Authentication capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Forced Authentication through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Exploit Public-Facing Application through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1197 attack_object_name: BITS Jobs capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against BITS Jobs through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1200 attack_object_name: Hardware Additions capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Hardware Additions through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1205 attack_object_name: Traffic Signaling capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Traffic Signaling through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1205.001 attack_object_name: Port Knocking capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Port Knocking through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1205.002 attack_object_name: Socket Filters capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Socket Filters through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1218 attack_object_name: System Binary Proxy Execution capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against System Binary Proxy Execution through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1218.012 attack_object_name: Verclsid capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Verclsid through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1219 attack_object_name: Remote Access Software capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Remote Access Software through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1221 attack_object_name: Template Injection capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Template Injection through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Network Denial of Service through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1498.001 attack_object_name: Direct Network Flood capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Direct Network Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1498.002 attack_object_name: Reflection Amplification capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Reflection Amplification through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Endpoint Denial of Service through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1499.001 attack_object_name: OS Exhaustion Flood capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against OS Exhaustion Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Service Exhaustion Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1499.003 attack_object_name: Application Exhaustion Flood capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Application Exhaustion Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1499.004 attack_object_name: Application or System Exploitation capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Application or System Exploitation through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Data from Cloud Storage through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1537 attack_object_name: Transfer Data to Cloud Account capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Transfer Data to Cloud Account through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1542 attack_object_name: Pre-OS Boot capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Pre-OS Boot through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1542.005 attack_object_name: TFTP Boot capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against TFTP Boot through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Event Triggered Execution through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1546.008 attack_object_name: Accessibility Features capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Accessibility Features through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1547 attack_object_name: Boot or Logon Autostart Execution capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Boot or Logon Autostart Execution through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1547.006 attack_object_name: Kernel Modules and Extensions capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Kernel Modules and Extensions through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Unsecured Credentials through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1552.005 attack_object_name: Cloud Instance Metadata API capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Cloud Instance Metadata API through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1552.007 attack_object_name: Container API capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Container API through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Adversary-in-the-Middle through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1557.001 attack_object_name: LLMNR/NBT-NS Poisoning and SMB Relay capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against LLMNR/NBT-NS Poisoning and SMB Relay through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1557.002 attack_object_name: ARP Cache Poisoning capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against ARP Cache Poisoning through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1557.003 attack_object_name: DHCP Spoofing capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against DHCP Spoofing through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1563 attack_object_name: Remote Service Session Hijacking capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Remote Service Session Hijacking through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1563.002 attack_object_name: RDP Hijacking capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against RDP Hijacking through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Hide Artifacts through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1564.012 attack_object_name: File/Path Exclusions capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against File/Path Exclusions through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Spearphishing Attachment through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1566.003 attack_object_name: Spearphishing via Service capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Spearphishing via Service through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1570 attack_object_name: Lateral Tool Transfer capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Lateral Tool Transfer through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1572 attack_object_name: Protocol Tunneling capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Protocol Tunneling through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1599 attack_object_name: Network Boundary Bridging capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Network Boundary Bridging through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1599.001 attack_object_name: Network Address Translation Traversal capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Network Address Translation Traversal through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1602 attack_object_name: Data from Configuration Repository capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Data from Configuration Repository through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1602.001 attack_object_name: SNMP (MIB Dump) capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against SNMP (MIB Dump) through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1602.002 attack_object_name: Network Device Configuration Dump capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Network Device Configuration Dump through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1609 attack_object_name: Container Administration Command capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Container Administration Command through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1610 attack_object_name: Deploy Container capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Deploy Container through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1612 attack_object_name: Build Image on Host capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Build Image on Host through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1613 attack_object_name: Container and Resource Discovery capability_description: End-user device protection capability_group: PR.PS capability_id: PR.PS-01.08 comments: This diagnostic statement protects against Container and Resource Discovery through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware. mapping_type: mitigates references: [] - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against Exploitation for Credential Access through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against Hide Artifacts through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1564.009 attack_object_name: Resource Forking capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against Resource Forking through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1564.012 attack_object_name: File/Path Exclusions capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against File/Path Exclusions through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against Hijack Execution Flow through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1574.001 attack_object_name: DLL Search Order Hijacking capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against DLL Search Order Hijacking through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1559 attack_object_name: Inter-Process Communication capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against Inter-Process Communication through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1559.003 attack_object_name: XPC Services capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against XPC Services through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1647 attack_object_name: Plist File Modification capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against Plist File Modification through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against Resource Hijacking through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1496.003 attack_object_name: SMS Pumping capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against SMS Pumping through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1593 attack_object_name: Search Open Websites/Domains capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against Search Open Websites/Domains through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1593.003 attack_object_name: Code Repositories capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against Code Repositories through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1195 attack_object_name: Supply Chain Compromise capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against Supply Chain Compromise through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1195.001 attack_object_name: Compromise Software Dependencies and Development Tools capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against Compromise Software Dependencies and Development Tools through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against Use Alternate Authentication Material through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against Application Access Token through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Development and operational process alignment capability_group: PR.PS capability_id: PR.PS-06.07 comments: This diagnostic statement protects against Valid Accounts through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles. mapping_type: mitigates references: [] metadata: attack_version: '16.1' author: null capability_groups: DE.AE: 'Detect: Adverse Event Analysis' DE.CM: 'Detect: Continuous Monitoring' EX.DD: 'Extend: Procurement Planning and Due Diligence' EX.MM: 'Extend: Monitoring and Managing Suppliers' ID.AM: 'Identify: Asset Management' ID.IM: 'Identify: Improvement' ID.RA: 'Identify: Risk Assessment' PR.AA: 'Protect: Identity Management, Authentication, Access Control' PR.DS: 'Protect: Data Security' PR.IR: 'Protect: Technology Infrastructure Resilience' PR.PS: 'Protect: Platform Security' contact: null creation_date: 02/24/2025 last_update: 07/11/2025 mapping_framework: cri_profile mapping_framework_version: v2.1 mapping_types: mitigates: description: '' name: Mitigates non_mappable: description: '' name: Non-Mappable mapping_version: '' organization: null technology_domain: enterprise