{"name": "cri_profile overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "16.1"}, "sorting": 3, "description": "cri_profile heatmap overview of cri_profile mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1102.001", "score": 4, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.05\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware that can be used to mitigate malicious activity and identify adversaries that use web services to obfuscate domains or IP addresses."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Dead Drop Resolver through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1102.002", "score": 4, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.05\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware that can be used to mitigate malicious activity and identify adversaries that use web services to obfuscate domains or IP addresses over web service channel."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Bidirectional Communication through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1102.003", "score": 4, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.05\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware that can be used to mitigate malicious activity and identify adversaries that use web services to obfuscate domains or IP addresses over web service channel."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against One-Way Communication through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1102", "score": 6, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022DE.CM-01.03\n\u2022PR.IR-01.03\n\u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022DE.CM-01.05", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Web Service by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate malicious activity and identify adversaries that can relay data from a compromised systems through websites, cloud service, or social media."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Web Service through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1204.001", "score": 5, "comment": " Related to: \n \u2022PR.IR-01.03\n\u2022DE.CM-01.05\n\u2022DE.AE-02.01\n\u2022PR.PS-05.03\n\u2022DE.CM-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "In order to protect users from being victims of social engineering attacks, network intrusion prevention techniques can be used to scan and block malicious downloads and malicious activity."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.03"}, {"name": "comment", "value": "Tools that detect and block and remove malware provide protection from users deceived into opening malicious documents, clicking on phishing links, or executing downloaded malware."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Malicious Link through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1204.002", "score": 3, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022PR.PS-05.03\n\u2022DE.CM-01.05", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.PS-05.03"}, {"name": "comment", "value": "Tools that detect and block and remove malware provide protection from users deceived into opening malicious attachments or files that can be found in emails (spearphishing)."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit."}]}, {"techniqueID": "T1204.003", "score": 6, "comment": " Related to: \n \u2022PR.PS-01.09\n\u2022DE.CM-09.01\n\u2022PR.IR-01.03\n\u2022DE.AE-02.01\n\u2022PR.PS-01.03\n\u2022DE.CM-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Malicious Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "In order to protect users from being victims of social engineering attacks, network intrusion prevention techniques can be used to scan and block malicious images so those images can't lead to malicious code being executed."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from User Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to execute malicious unsigned code."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may rely on a user running a malicious image to facilitate execution. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the virtualized instance or container. Mitigating controls such as execution prevention, NIPS, EDRs and behavior prevention on endpoints may provide mitigating mechanisms to prevent the running of executables coming from virtualized machines onto the host or network."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Malicious Image through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1204", "score": 6, "comment": " Related to: \n \u2022DE.CM-01.01\n\u2022PR.PS-01.09\n\u2022PR.IR-01.03\n\u2022DE.AE-02.01\n\u2022PR.PS-01.03\n\u2022DE.CM-01.05", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "In order to protect users from being victims of social engineering attacks, network intrusion prevention techniques can be used to scan and block malicious code from malicious downloads and malicious activity."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from User Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to execute malicious unsigned code."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may rely on a user running a malicious image to facilitate execution. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the virtualized instance or container. Mitigating controls such as execution prevention, NIPS, EDRs and behavior prevention on endpoints may provide mitigating mechanisms to prevent the running of executables coming from virtualized machines onto the host or network."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against User Execution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1029", "score": 2, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Scheduled Transfer through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1090.001", "score": 3, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "This diagnostic statement protects adversaries from infiltrating internal proxies and taking over control of traffic between systems. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Internal Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1090.002", "score": 3, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "This diagnostic statement protects adversaries from infiltrating external proxies and taking over control of traffic between systems. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against External Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1090", "score": 6, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022DE.CM-01.03\n\u2022PR.IR-01.03\n\u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Proxy by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "This diagnostic statement protects adversaries from redirecting network traffic between systems by infiltrating connection proxies. Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Proxy through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1572", "score": 8, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022PR.IR-01.04\n\u2022DE.CM-01.03\n\u2022PR.IR-01.03\n\u2022PR.IR-01.02\n\u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Protocol Tunneling by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "This diagnostic statement protects adversaries from using tunneling to encapsulate a protocol within another protocol. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic to untrusted or known bad domains and resources can prevent tunnelling of network communications."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Protocol Tunneling through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Protocol Tunneling through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1542.005", "score": 11, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022PR.IR-01.06\n\u2022DE.CM-09.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.05\n\u2022PR.IR-01.02\n\u2022PR.PS-01.02\n\u2022DE.AE-02.01\n\u2022PR.PS-01.03\n\u2022PR.AA-05.02\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against TFTP Boot through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against TFTP Boot through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from TFTP Boot through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions on untrusted network sources can mitigate adversary abuse of TFTP boot (netbooting)."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against TFTP Boot through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against TFTP Boot through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1542.004", "score": 4, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022PR.PS-01.03\n\u2022DE.CM-09.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against ROMMONkit through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from ROMMONkit through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against ROMMONkit through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1571", "score": 6, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022PR.IR-01.04\n\u2022DE.CM-01.03\n\u2022PR.IR-01.03\n\u2022PR.IR-01.01\n\u2022DE.AE-02.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Non-Standard Port by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and proper systems can mitigate use of this technique."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Non-Standard Port through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}]}, {"techniqueID": "T1095", "score": 9, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022PR.IR-01.04\n\u2022DE.CM-01.03\n\u2022PR.IR-01.06\n\u2022PR.IR-01.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.02\n\u2022DE.AE-02.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Non-Application Layer Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and proper systems can mitigate use of this technique."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of non-application layer protocols."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Non-Application Layer Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Non-Application Layer Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1104", "score": 4, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.03\n\u2022PR.IR-04.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Multi-Stage Channels by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Multi-Stage Channels through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1570", "score": 5, "comment": " Related to: \n \u2022PR.IR-01.04\n\u2022PR.PS-01.09\n\u2022PR.IR-01.03\n\u2022DE.AE-02.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may transfer tools, payloads, or other malware between systems in a compromised environment, such as between a VM and host system. Hypervisor hardening may help in monitoring and restricting unexpected network share access, such as files transferred between shares within a network using protocols such as SMB by virtualized technologies."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Lateral Tool Transfer through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Lateral Tool Transfer through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1105", "score": 2, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Ingress Tool Transfer through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1008", "score": 4, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.03\n\u2022PR.IR-04.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Fallback Channels by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Fallback Channels through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1573.001", "score": 4, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022PR.IR-01.04\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some activity at the network level, specifically adversaries known to conceal C2 traffic with symmetric encryption algorithms."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Symmetric Cryptography through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}]}, {"techniqueID": "T1573", "score": 5, "comment": " Related to: \n \u2022PR.IR-01.04\n\u2022PR.IR-04.01\n\u2022PR.IR-01.03\n\u2022DE.AE-02.01\n\u2022DE.CM-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation (command and control traffic) activity at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Encrypted Channel through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}]}, {"techniqueID": "T1573.002", "score": 4, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022PR.IR-01.04\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some activity at the network level, specifically adversaries known to conceal C2 traffic with asymmetric encryption algorithms."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Asymmetric Cryptography through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}]}, {"techniqueID": "T1568.002", "score": 3, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation (command and control) activity at the network level.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Domain Generation Algorithms through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1568", "score": 3, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation (command and control) activity at the network level.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Dynamic Resolution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1030", "score": 6, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022PR.DS-01.03\n\u2022DE.CM-01.03\n\u2022PR.IR-01.03\n\u2022DE.AE-02.01\n\u2022DE.CM-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Data Transfer Size Limits by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.03"}, {"name": "comment", "value": "This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Data Transfer Size Limits through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1602.001", "score": 13, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.PS-01.01\n\u2022PR.PS-01.05\n\u2022PR.PS-02.01\n\u2022PR.IR-01.06\n\u2022PR.IR-01.01\n\u2022PR.IR-01.03\n\u2022PR.PS-01.06\n\u2022PR.IR-01.02\n\u2022PR.PS-01.02\n\u2022DE.AE-02.01\n\u2022PR.PS-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated and migrating to SNMPv3 can help prevent adversaries from collecting MIB content directly from SNMP-managed devices."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of SNMP (MIB Dump), configure SNMPv3 to use the highest level of security (authPriv) available."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Data from Configuration Repository: SNMP (MIB Dump) through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include allowlist MIB objects and implement SNMP Views can help protect against adversaries attempting to leverage information repositories."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Data from Configuration Repository: SNMP (MIB Dump) through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against MIB Dump."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to segregate traffic to provide protection against adversaries attempting to obtain data from configuration repositories."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing extended ACLs to block unauthorized protocols can mitigate adversary access to data in configuration repositories."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against SNMP (MIB Dump) through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of SNMP (MIB Dump), configure SNMPv3 to use the highest level of security (authPriv) available. "}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against SNMP (MIB Dump) through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1602.002", "score": 14, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.IR-04.01\n\u2022PR.PS-01.01\n\u2022PR.PS-01.05\n\u2022PR.PS-02.01\n\u2022PR.IR-01.06\n\u2022PR.IR-01.01\n\u2022PR.IR-01.03\n\u2022PR.PS-01.06\n\u2022PR.IR-01.02\n\u2022PR.PS-01.02\n\u2022DE.AE-02.01\n\u2022PR.PS-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated and migrating to SNMPv3 can help prevent adversary access of network configuration files."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of Network Device Configuration Dump, configure SNMPv3 to use the highest level of security (authPriv) available."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Data from Configuration Repository: Network Device Configuration Dump through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include allowlist MIB objects and implement SNMP Views, and keeping system images and software up to date can help protect against adversaries attempting to leverage information repositories."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Data from Configuration Repository: Network Device Configuration Dump through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against network device configuration dump."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to segregate traffic to provide protection against adversaries attempting to obtain data from configuration repositories."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing extended ACLs to block unauthorized protocols can mitigate adversary access to data in configuration repositories."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Network Device Configuration Dump through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of Network Device Configuration Dump, configure SNMPv3 to use the highest level of security (authPriv) available. "}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Network Device Configuration Dump through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1602", "score": 15, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.IR-04.01\n\u2022PR.PS-01.01\n\u2022PR.PS-01.05\n\u2022PR.PS-02.01\n\u2022PR.IR-01.06\n\u2022PR.IR-01.01\n\u2022PR.IR-01.03\n\u2022PR.PS-01.06\n\u2022PR.IR-01.02\n\u2022PR.PS-01.02\n\u2022DE.AE-02.01\n\u2022PR.PS-01.03\n\u2022PR.DS-10.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated can help prevent adversaries from collecting data related to managed devices from configuration repositories."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of data collection from configuration repository, configure SNMPv3 to use the highest level of security (authPriv) available."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Data from Information Repositories: Data from Configuration Repository through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include data retention policies to periodically archive and/or delete data and integrity checking can help protect against adversaries attempting to leverage information repositories."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Data from Configuration Repository through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against data from configuration repository."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to segregate traffic to provide protection against adversaries attempting to obtain data from configuration repositories."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing extended ACLs to block unauthorized protocols can mitigate adversary access to data in configuration repositories."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Data from Configuration Repository through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of data collection from configuration repository, configure SNMPv3 to use the highest level of security (authPriv) available. "}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Data from Configuration Repository through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1041", "score": 8, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.IR-04.01\n\u2022DE.CM-01.03\n\u2022PR.IR-01.03\n\u2022PR.DS-01.02\n\u2022PR.DS-01.01\n\u2022DE.AE-02.01\n\u2022PR.DS-10.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over C2 Channel through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Exfiltration Over C2 Channel by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.01"}, {"name": "comment", "value": "This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.02"}, {"name": "comment", "value": "The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over C2 Channel through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1048", "score": 13, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.IR-04.01\n\u2022PR.IR-01.04\n\u2022DE.CM-01.03\n\u2022PR.AA-01.01\n\u2022PR.IR-01.01\n\u2022PR.DS-01.02\n\u2022PR.IR-01.03\n\u2022PR.IR-01.02\n\u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.DS-10.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Exfiltration Over Alternative Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.02"}, {"name": "comment", "value": "The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some activity at the network level, specifically adversaries known to steal data and/or encrypt or obfuscate alternate channels."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Network firewall configurations that allow only necessary ports and traffic can mitigate exfiltration of data over alternate protocols."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of alternate protocols to exfiltrate data."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1048.001", "score": 7, "comment": " Related to: \n \u2022PR.IR-01.04\n\u2022DE.CM-01.03\n\u2022PR.IR-01.03\n\u2022PR.IR-01.01\n\u2022PR.IR-01.02\n\u2022DE.AE-02.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Exfiltration Over Symmetric Encrypted Non-C2 Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Network firewall configurations that allow only necessary ports and traffic can mitigate exfiltration of data over alternate protocols."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of alternate protocols to exfiltrate data."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Symmetric Encrypted Non-C2 Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Symmetric Encrypted Non-C2 Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1048.002", "score": 10, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.IR-04.01\n\u2022PR.IR-01.04\n\u2022DE.CM-01.03\n\u2022PR.IR-01.01\n\u2022PR.DS-01.02\n\u2022PR.IR-01.03\n\u2022PR.IR-01.02\n\u2022DE.AE-02.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Asymmetric Encrypted Non-C2 Protocol through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Exfiltration Over Asymmetric Encrypted Non-C2 Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.02"}, {"name": "comment", "value": "The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Network firewall configurations that allow only necessary ports and traffic can mitigate exfiltration of data over alternate protocols."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of alternate protocols to exfiltrate data."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Asymmetric Encrypted Non-C2 Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Asymmetric Encrypted Non-C2 Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1048.003", "score": 11, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.IR-04.01\n\u2022PR.IR-01.04\n\u2022DE.CM-01.03\n\u2022PR.IR-01.01\n\u2022PR.DS-01.02\n\u2022PR.IR-01.03\n\u2022PR.DS-01.01\n\u2022PR.IR-01.02\n\u2022DE.AE-02.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Unencrypted Non-C2 Protocol through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Exfiltration Over Unencrypted Non-C2 Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.01"}, {"name": "comment", "value": "This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.02"}, {"name": "comment", "value": "The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Network firewall configurations that allow only necessary ports and traffic can mitigate exfiltration of data over alternate protocols."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of alternate protocols to exfiltrate data."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Unencrypted Non-C2 Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Unencrypted Non-C2 Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1132.002", "score": 3, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Non-Standard Encoding through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1132.001", "score": 3, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Standard Encoding through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1132", "score": 3, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Data Encoding through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1071.005", "score": 6, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.02\n\u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against adversaries that may try to utilize different protocols to abuse packets produced from these protocols. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of application layer protocols."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Publish/Subscribe Protocols through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Publish/Subscribe Protocols through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1071.001", "score": 4, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022PR.IR-04.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against adversaries that may try to utilize different protocols, such as HTTPS and web socket, to blend in with existing traffic. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Web Protocols through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1071.002", "score": 3, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against adversaries that may try to utilize different protocols, such as SMB, FTP, FTPS, and TFPT, to abuse packets produced from these protocols. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against File Transfer Protocols through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1071.003", "score": 4, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022PR.PS-05.03\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against adversaries that may try to utilize different protocols, such as SMPT/S, POP3/S and IMAP, to abuse packets produced from these protocols. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.03"}, {"name": "comment", "value": "Network intrusion prevention techniques can be utilized to detect traffic for specific adversary malware, in hopes of being mitigated at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Mail Protocols through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1071.004", "score": 6, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.02\n\u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of application layer protocols."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against adversaries that may try to utilize DNS protocol to abuse packets produced from these protocols. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against DNS through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against DNS through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1071", "score": 6, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.02\n\u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against adversaries that may try to utilize different protocols, such as web browsing, transferring files, email, from attacking at the OSI level. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of application layer protocols."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Application Layer Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Application Layer Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1557.004", "score": 5, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022ID.AM-08.03\n\u2022PR.IR-01.03\n\u2022DE.AE-02.01\n\u2022DE.CM-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Implementing methods similar to Wireless Intrusion prevention systems (WIPS) can identify and prevent adversary in the middle activity  "}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and enticing users to connecting to malicious networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Evil Twin through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and enticing users to connecting to malicious networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}]}, {"techniqueID": "T1557.001", "score": 8, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022PR.IR-01.06\n\u2022PR.IR-01.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.02\n\u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can prevent leveraging for AiTM conditions."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "The use of network intrusion detection and prevention systems can identify and possibly bock traffic patterns, indicative of AiTM activity. If so, these patterns can be mitigated at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Isolate infrastructure components and blocking network traffic that is not necessary can mitigate, or at least alleviate, the scope of AiTM activity."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against LLMNR/NBT-NS Poisoning and SMB Relay through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against LLMNR/NBT-NS Poisoning and SMB Relay through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1557.003", "score": 7, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022PR.IR-01.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.02\n\u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can prevent leveraging for AiTM conditions."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "The use of network intrusion detection and prevention systems can identify and possibly bock traffic patterns, indicative of AiTM activity. If so, these patterns can be mitigated at the network level."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Isolate infrastructure components and blocking network traffic that is not necessary can mitigate, or at least alleviate, the scope of AiTM activity."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against DHCP Spoofing through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against DHCP Spoofing through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1557", "score": 15, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022PR.IR-04.01\n\u2022ID.AM-08.03\n\u2022PR.PS-01.05\n\u2022PR.IR-01.06\n\u2022PR.IR-01.01\n\u2022PR.IR-01.03\n\u2022PR.AA-05.01\n\u2022PR.DS-01.01\n\u2022PR.PS-01.06\n\u2022PR.IR-01.02\n\u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.DS-01.01"}, {"name": "comment", "value": "This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "The use of network intrusion detection and prevention systems can identify and possibly bock traffic patterns, indicative of AiTM activity. If so, these patterns can be mitigated at the network level."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address adversary-in-the-middle threats, the organization ensures that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Adversary-in-the-middle through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against adversary-in-the-middle"}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from being able to steal data in transit between networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Isolate infrastructure components and blocking network traffic that is not necessary can mitigate, or at least alleviate, the scope of AiTM activity."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can prevent leveraging for AiTM conditions."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Adversary-in-the-Middle through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from being able to steal data in transit between networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address adversary-in-the-middle threats, the organization ensures that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Adversary-in-the-Middle through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1557.002", "score": 12, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.IR-04.01\n\u2022PR.PS-01.05\n\u2022PR.IR-01.06\n\u2022PR.IR-01.01\n\u2022PR.IR-01.03\n\u2022PR.DS-01.01\n\u2022PR.PS-01.06\n\u2022PR.IR-01.02\n\u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.DS-01.01"}, {"name": "comment", "value": "This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "The use of network intrusion detection and prevention systems can identify and possibly bock traffic patterns, indicative of AiTM activity. If so, these patterns can be mitigated at the network level, enabling to block adversaries from poisoning ARP caches.  "}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address ARP Cache Poisoning, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Adversary-in-the-middle: ARP Cache Poisoning through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against adversary-in-the-middle."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Isolate infrastructure components and blocking network traffic that is not necessary can mitigate, or at least alleviate, the scope of AiTM activity."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can prevent leveraging for AiTM conditions."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against ARP Cache Poisoning through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address ARP Cache Poisoning, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against ARP Cache Poisoning through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1219", "score": 4, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022PR.IR-01.02\n\u2022PR.IR-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic can mitigate adversary abuse of remote access software."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Access Software through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Access Software through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1218.015", "score": 2, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1218.010", "score": 1, "comment": " Related to: \n \u2022DE.AE-02.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}]}, {"techniqueID": "T1218.011", "score": 1, "comment": " Related to: \n \u2022DE.AE-02.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}]}, {"techniqueID": "T1218", "score": 8, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-01.06\n\u2022PR.IR-01.03\n\u2022PR.IR-01.02\n\u2022DE.AE-02.01\n\u2022DE.CM-01.05\n\u2022PR.AA-05.02\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic can help to mitigate this technique."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against System Binary Proxy Execution through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against System Binary Proxy Execution through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement can help prevent execution of malicious content with signed files or trusted binaries through tools and measures restricting or blocking certain websites, blocking downloads/attachments, and restricting browser extensions."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against System Binary Proxy Execution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against System Binary Proxy Execution through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1210", "score": 14, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-06.05\n\u2022PR.PS-01.09\n\u2022PR.PS-05.02\n\u2022ID.RA-01.03\n\u2022PR.PS-02.01\n\u2022DE.CM-03.03\n\u2022PR.IR-01.06\n\u2022PR.IR-01.01\n\u2022PR.AA-05.03\n\u2022DE.AE-02.01\n\u2022EX.DD-04.01\n\u2022PR.AA-05.02\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Exploitation of Remote Services through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Exploitation of Remote Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.05"}, {"name": "comment", "value": "This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of."}, {"divider": true}, {"name": "control", "value": "ID.RA-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can mitigate exploitation of remote services."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize permissions and access for service accounts to limit impact of exploitation."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "EX.DD-04.01"}, {"name": "comment", "value": "This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring the use of vulnerability scanning of third-party application development to scan for common vulnerabilities like SQL injection or cross-site scripting (XSS), including the use of regular scans post major changes to identify newly introduced vulnerabilities."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Segmenting externally facing networks and systems appropriately to mitigate exploitation of remote services."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1068", "score": 5, "comment": " Related to: \n \u2022PR.PS-06.05\n\u2022PR.PS-01.09\n\u2022PR.PS-02.01\n\u2022DE.AE-02.01\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.05"}, {"name": "comment", "value": "This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of software vulnerabilities to elevate privileges."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation."}]}, {"techniqueID": "T1211", "score": 7, "comment": " Related to: \n \u2022PR.PS-06.05\n\u2022PR.PS-01.09\n\u2022PR.PS-05.02\n\u2022ID.RA-01.03\n\u2022PR.PS-02.01\n\u2022DE.AE-02.01\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.05"}, {"name": "comment", "value": "This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of."}, {"divider": true}, {"name": "control", "value": "ID.RA-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of a system or application vulnerability to bypass security features."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation."}]}, {"techniqueID": "T1212", "score": 9, "comment": " Related to: \n \u2022PR.PS-06.05\n\u2022PR.PS-01.09\n\u2022PR.PS-05.02\n\u2022ID.RA-01.03\n\u2022PR.PS-02.01\n\u2022PR.PS-06.07\n\u2022PR.PS-06.01\n\u2022DE.AE-02.01\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement protects against Exploitation for Credential Access through the implementation of measures in the application to validate authentication requests by enabling one-time passwords, providing timestamps or sequence numbers for messages sent, using digital signatures, and/or using random session keys."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.05"}, {"name": "comment", "value": "This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of."}, {"divider": true}, {"name": "control", "value": "ID.RA-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of software vulnerabilities to collect credentials."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against Exploitation for Credential Access through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1203", "score": 6, "comment": " Related to: \n \u2022PR.PS-06.05\n\u2022PR.PS-01.09\n\u2022PR.PS-05.02\n\u2022ID.RA-01.03\n\u2022DE.AE-02.01\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.05"}, {"name": "comment", "value": "This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of."}, {"divider": true}, {"name": "control", "value": "ID.RA-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation."}]}, {"techniqueID": "T1189", "score": 5, "comment": " Related to: \n \u2022PR.PS-01.09\n\u2022PR.PS-05.02\n\u2022PR.PS-02.01\n\u2022DE.AE-02.01\n\u2022DE.CM-01.05", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, ensure all browsers and plugins are kept updated to help prevent the exploit phase of Drive-by Compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement helps mitigate drive-by compromise through the implementation of tools and measures such as adblockers to prevent and block malicious code execution and script blocking extensions to block execution of scripts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to the Drive-By-Compromise, browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. Other types of virtualization and application micro-segmentation may also mitigate the impact of client-side exploitation from the virtualized machine."}]}, {"techniqueID": "T1221", "score": 7, "comment": " Related to: \n \u2022PR.PS-01.08\n\u2022PR.PS-01.01\n\u2022PR.IR-01.03\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to prevent documents from fetching and/or executing malicious payloads."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads that adversaries can steal in document templates."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Template Injection through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Template Injection through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1080", "score": 5, "comment": " Related to: \n \u2022PR.IR-01.08\n\u2022PR.PS-01.09\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may deliver payloads to host systems by adding content to shared storage and file locations, such as a shared directory between the host and virtual machine. Hypervisor hardening can restrict or limit the ability to of the virtualized machine to taint shared content, making it harder for attackers to manipulate shared content."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Taint Shared Content through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1027.002", "score": 5, "comment": " Related to: \n \u2022PR.IR-01.08\n\u2022PR.PS-01.01\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Heuristic-based malware detection and signatures for observed malware can be used to identify known software packers or artifacts of packing techniques that conceal malicious content."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Software Packing through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1027.013", "score": 5, "comment": " Related to: \n \u2022PR.IR-01.08\n\u2022PR.PS-01.01\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding or obfuscating."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Encrypted/Encoded File through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1027.014", "score": 5, "comment": " Related to: \n \u2022PR.IR-01.08\n\u2022PR.PS-01.01\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding or obfuscating."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Polymorphic Code through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1566", "score": 11, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022PR.AA-03.03\n\u2022PR.AA-01.01\n\u2022PR.PS-05.03\n\u2022PR.IR-01.03\n\u2022DE.CM-01.05\n\u2022PR.PS-01.02\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022PR.PS-01.03\n\u2022DE.CM-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files and links, protecting against harmful files, websites, and downloads."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "This diagnostic statement utilizes the tools such as network intrusion prevent systems to identify, scan and block malicious email or links that can be clicked on by users in their emails. Also, anti-virus can be used to quarantine suspicious files."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Phishing through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, blocking of non-essential sites or attachment types, encryption of credential data, and integrity checking can help protect against adversaries attempting to access systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.03"}, {"name": "comment", "value": "Network intrusion prevention techniques can be utilized to remove malicious email attachment or link to prevent/block activity where phishing messages can be sent to users."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Phishing through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Phishing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1566.001", "score": 11, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022PR.AA-03.03\n\u2022PR.AA-01.01\n\u2022PR.PS-05.03\n\u2022PR.IR-01.03\n\u2022DE.CM-01.05\n\u2022PR.PS-01.02\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022DE.CM-01.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious attachment. "}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files and links, protecting against harmful files, websites, and downloads."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "This diagnostic statement utilizes the tools such as network intrusion prevent systems to identify, scan and block malicious email attachments that can be clicked on by users in their emails. Also, anti-virus can be used to quarantine suspicious files."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.03"}, {"name": "comment", "value": "Network intrusion prevention techniques can be utilized to remove malicious email attachment or link to prevent/block activity where phishing messages can be sent to users."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Spearphishing Attachment through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Spearphishing Attachment through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Spearphishing Attachment through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1566.003", "score": 7, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022PR.AA-01.01\n\u2022PR.PS-05.03\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022DE.CM-01.05\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files and links, protecting against harmful files, websites, and downloads."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.03"}, {"name": "comment", "value": "Anti-virus can also automatically quarantine suspicious files sent through messages via services, social media , personal webmail, etc."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Spearphishing via Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Spearphishing via Service through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1027", "score": 5, "comment": " Related to: \n \u2022PR.IR-01.08\n\u2022PR.PS-01.01\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding, or obfuscating."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Obfuscated Files or Information through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1027.012", "score": 4, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022PR.PS-01.08\n\u2022PR.PS-01.01\n\u2022PR.IR-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against LNK Icon Smuggling through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1027.009", "score": 5, "comment": " Related to: \n \u2022PR.IR-01.08\n\u2022PR.PS-01.01\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding, or obfuscating."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Embedded Payloads through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1036", "score": 11, "comment": " Related to: \n \u2022PR.PS-01.08\n\u2022PR.PS-05.02\n\u2022PR.PS-01.01\n\u2022EX.DD-04.01\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022PR.PS-01.03\n\u2022DE.CM-01.01\n\u2022PR.IR-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Masquerading through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have manipulated to appear legitimate or benign."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Implementing methods similar to Host Intrusion prevention (HIPS) can identify and prevent execution of malicious files and its metadata manipulated by adversaries."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Masquerading through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "EX.DD-04.01"}, {"name": "comment", "value": "This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Masquerading through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Masquerading through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1036.008", "score": 7, "comment": " Related to: \n \u2022PR.PS-01.08\n\u2022PR.PS-05.02\n\u2022PR.PS-01.01\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have manipulated to appear legitimate or benign."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Implementing methods similar to Host Intrusion prevention (HIPS) can identify and prevent execution of malicious files and its metadata manipulated by adversaries."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Masquerade File Type through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1059.001", "score": 11, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.08\n\u2022PR.PS-05.02\n\u2022PR.PS-01.01\n\u2022PR.IR-01.06\n\u2022DE.CM-09.01\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022PR.PS-01.03\n\u2022PR.AA-05.02\n\u2022PR.IR-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against PowerShell through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against PowerShell through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against PowerShell through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Command and Scripting Interpreter through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining along with disallowing scripts and integrity checking can help protect against adversaries that may abuse command and script interpreters."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against PowerShell through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1059.005", "score": 7, "comment": " Related to: \n \u2022PR.PS-01.08\n\u2022PR.PS-05.02\n\u2022PR.PS-01.01\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022DE.CM-01.05\n\u2022PR.IR-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from abusing commands, scripts, or binaries by blocking the execution of scripts and malicious code that pop up via adblockers and ads."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Visual Basic through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1059.006", "score": 6, "comment": " Related to: \n \u2022PR.PS-01.08\n\u2022PR.PS-05.02\n\u2022PR.PS-01.01\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022PR.IR-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Python through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1059", "score": 12, "comment": " Related to: \n \u2022PR.PS-01.08\n\u2022PR.PS-05.02\n\u2022PR.PS-01.01\n\u2022PR.IR-01.06\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022DE.AE-02.01\n\u2022PR.PS-05.01\n\u2022PR.PS-01.03\n\u2022DE.CM-01.05\n\u2022PR.AA-05.02\n\u2022PR.IR-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Command and Scripting Interpreter through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Command and Scripting Interpreter through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Command and Scripting Interpreter through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining along with disallowing scripts and integrity checking can help protect against adversaries that may abuse command and script interpreters."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from abusing commands, scripts, or binaries by blocking the execution of scripts and malicious code that pop up via adblockers and ads."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Command and Scripting Interpreter through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Command and Scripting Interpreter through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1001.002", "score": 3, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.\r\n\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Steganography through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1001.001", "score": 3, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.\r\n\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Junk Data through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1001.003", "score": 3, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\r\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.\r\n\r\n\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Protocol or Service Impersonation through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1001", "score": 3, "comment": " Related to: \n \u2022DE.AE-02.01\n\u2022DE.CM-01.01\n\u2022PR.IR-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.AE-02.01"}, {"name": "comment", "value": "This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.\n"}, {"divider": true}, {"name": "control", "value": "DE.CM-01.01"}, {"name": "comment", "value": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation command and control activity at the network level.\r\n\r\n"}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Data Obfuscation through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}]}, {"techniqueID": "T1006", "score": 3, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.AA-01.02\n\u2022PR.IR-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Direct Volume Access through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1027.010", "score": 4, "comment": " Related to: \n \u2022PR.PS-05.01\n\u2022PR.PS-01.08\n\u2022PR.PS-01.01\n\u2022PR.IR-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software can be utilized to detect and quarantine suspicious Windows 10+ commands that adversaries have made difficult to discover by encrypting, encoding or obfuscating."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Command Obfuscation through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1564", "score": 6, "comment": " Related to: \n \u2022PR.IR-01.08\n\u2022PR.PS-01.01\n\u2022PR.PS-06.07\n\u2022PR.PS-06.01\n\u2022PR.PS-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Hide Artifacts through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Hide Artifacts through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against Hide Artifacts through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1564.012", "score": 5, "comment": " Related to: \n \u2022PR.IR-01.08\n\u2022PR.PS-01.01\n\u2022PR.PS-06.07\n\u2022PR.PS-06.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against File/Path Exclusions through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against File/Path Exclusions through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1078.001", "score": 8, "comment": " Related to: \n \u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.PS-06.01\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage)."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Default Accounts through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Valid Accounts through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, provisioning accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to use default accounts."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Default Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1078.002", "score": 10, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.PS-06.01\n\u2022PR.AA-05.03\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage)."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Domain Accounts through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Domain Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Valid Accounts: Domain Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems). "}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Domain Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1199", "score": 8, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.01\n\u2022PR.IR-01.05\n\u2022EX.MM-01.01\n\u2022PR.AA-05.02\n\u2022PR.AA-05.04", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Trusted Relationship through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Trusted Relationship through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes for trusted entities, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to abuse trusted relationships."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.04"}, {"name": "comment", "value": "This diagnostic statement includes implementation of controls for third-party access to an organization\u2019s systems. Manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party or if the party is compromised by an adversary."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation to isolate infrastructure and limit access through trusted third party relationships."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "EX.MM-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for the implementation of procedures for management of third party products. Managing accounts and permissions used by parties in trusted relationships helps minimize potential abuse by the party or if the party is compromised by an adversary."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Trusted Relationship through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1021.007", "score": 9, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.03\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via cloud services service accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Services through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing control limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally in the cloud environment."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Services: Cloud Services through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes in cloud services, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use cloud services."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1021.008", "score": 2, "comment": " Related to: \n \u2022PR.IR-01.05\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Direct Cloud VM Connections through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1021.002", "score": 11, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-04.01\n\u2022PR.IR-01.04\n\u2022PR.PS-01.09\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.05\n\u2022PR.AA-05.03\n\u2022PR.AA-05.02\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Block the SMB/Windows Admin Shares service account to mitigate exploitation."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against SMB/Windows Admin Shares through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against SMB/Windows Admin Shares through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may transfer tools, payloads, or other malware between systems in a compromised environment, such as between a VM and host system. Hypervisor hardening may help in monitoring and restricting unexpected network share access, such as files transferred between shares within a network using protocols such as SMB by virtualized technologies."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against SMB/Windows Admin Shares through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against SMB/Windows Admin Shares through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against SMB/Windows Admin Shares through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1021.004", "score": 6, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.AA-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against SSH through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Services: SSH through the use of revocation of keys and key management. Employing key protection strategies for key material used in SSH, limitations to specific accounts along with access control mechanisms limits adversaries attempting to use valid accounts on SSH."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against SSH through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1021.006", "score": 8, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-01.04\n\u2022PR.IR-01.06\n\u2022PR.IR-01.01\n\u2022PR.IR-01.05\n\u2022PR.IR-01.02\n\u2022PR.AA-05.03\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via the WinRM service account."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Windows Remote Management through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Windows Remote Management through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing measures such as blocking or restricting WinRM provides protection against adversaries attempting to exploit this service."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1021.005", "score": 5, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.05\n\u2022PR.IR-01.02\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against VNC through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against VNC through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1021.003", "score": 9, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-01.04\n\u2022PR.PS-05.02\n\u2022PR.IR-01.06\n\u2022PR.IR-01.01\n\u2022PR.IR-01.05\n\u2022PR.IR-01.02\n\u2022PR.AA-05.03\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Distributed Component Object Model through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Distributed Component Object Model through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via Distributed Component Object Model (DCOM)."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing measures such as Windows Firewall provides protection against adversaries attempting to exploit Distributed Component Object Model."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1021.001", "score": 16, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.IR-01.04\n\u2022PR.PS-01.01\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.IR-01.03\n\u2022PR.AA-03.01\n\u2022PR.IR-01.02\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Desktop Protocol through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Desktop Protocol through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Remote Desktop Protocol through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Services: Remote Desktop Protocol (RDP) through the use of revocation of keys and key management. Employing key protection strategies such as multi-factor authentication for key material used in authentication for RDP, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts over RDP."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing measures such as blocking RDP traffic between network security zones provides protection against adversaries attempting to use RDP to expand access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Desktop Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Desktop Protocol through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Desktop Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1021", "score": 18, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.IR-04.01\n\u2022PR.IR-01.04\n\u2022PR.PS-05.02\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.03\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.01\n\u2022PR.AA-03.01\n\u2022PR.AA-05.03\n\u2022PR.AA-01.02\n\u2022PR.IR-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via remote services that use service accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Services through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limiting access to file shares, remote access to systems, unnecessary services."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Remote Services through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Services through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes transmitted over networks, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to misuse remote services."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Services through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Services through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1556.006", "score": 6, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Multi-Factor Authentication through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes (including multi-factor authentication or MFA), limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to bypass or generate MFA requests."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Multi-Factor Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1133", "score": 12, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.IR-04.01\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.05\n\u2022PR.AA-05.01\n\u2022PR.IR-01.02\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against External Remote Services through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against External Remote Services through the use of revocation of keys and key management. Employing key protection strategies and key management for those used in external remote services, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to access external remote services."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Denying direct remote access to internal systems to prevent adversaries from leveraging external-facing remote services to access and/or persist within a network."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversaries from leveraging externally-facing remote services to initially access and/or persist within a network."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against External Remote Services through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against External Remote Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against External Remote Services through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1136.001", "score": 8, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Local Account through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Local Account through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Local Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1136.002", "score": 12, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.PS-01.01\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-03.01\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Domain Account through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Domain Account through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Create Account: Domain Account through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Limit access to critical systems and domain controllers to provide protection against adversaries attempting to create accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Domain Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1136.003", "score": 9, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Account through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Account through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Limit access to critical systems and domain controllers to provide protection against adversaries attempting to create accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1136", "score": 11, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.PS-01.01\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-03.01\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Create Account through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Create Account through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Limit access to critical systems and domain controllers to provide protection against adversaries attempting to create accounts."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Create Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1098.006", "score": 8, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Additional Container Cluster Roles through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to manipulate accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Additional Container Cluster Roles through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1098.001", "score": 11, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022DE.CM-03.03\n\u2022PR.IR-01.06\n\u2022PR.IR-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-01.01\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Additional Cloud Credentials through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Additional Cloud Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to manipulate accounts."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing proper network segmentation limits access to critical systems and domain controllers."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Additional Cloud Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1098.002", "score": 7, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022DE.CM-03.03\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Additional Email Delegate Permissions through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Additional Email Delegate Permissions through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to add permissions to accounts."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Additional Email Delegate Permissions through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1098.003", "score": 10, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022DE.CM-03.03\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Additional Cloud Roles through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Additional Cloud Roles through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to manipulate accounts."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Additional Cloud Roles through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1098", "score": 19, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.09\n\u2022PR.IR-01.06\n\u2022PR.AA-05.03\n\u2022PR.AA-01.01\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022PR.PS-01.07\n\u2022PR.IR-01.04\n\u2022PR.AA-01.02\n\u2022PR.PS-01.02\n\u2022PR.PS-01.01\n\u2022DE.CM-03.03\n\u2022PR.IR-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.01\n\u2022PR.AA-03.01\n\u2022PR.AA-04.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Account Manipulation through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Account Manipulation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-04.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques"}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Account Manipulation through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to manipulate accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. Use multi-factor authentication for user and privileged accounts running virtual machines."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems). "}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing proper network segmentation limits access to critical systems and domain controllers."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Account Manipulation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1078", "score": 13, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.AA-05.04\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.PS-06.07\n\u2022PR.PS-06.01\n\u2022PR.AA-05.03\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage)."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Valid Accounts through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Valid Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Valid Accounts through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, provisioning accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to use existing accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Valid Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems). "}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.04"}, {"name": "comment", "value": "This diagnostic statement includes implementation of controls for third-party access to an organization\u2019s systems. Conditional access policies can be used to block logins from non-compliant devices or from outside defined IP ranges. "}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Valid Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against Valid Accounts through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1078.004", "score": 10, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.PS-06.01\n\u2022PR.AA-01.02\n\u2022PR.AA-03.01\n\u2022PR.AA-05.02\n\u2022PR.AA-05.04", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.04"}, {"name": "comment", "value": "This diagnostic statement includes implementation of controls for third-party access to an organization\u2019s systems. Conditional access policies can be used to block logins from non-compliant devices or from outside defined IP ranges. "}, {"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage)."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Accounts through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Valid Accounts: Cloud Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1110.001", "score": 7, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.AA-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-03.01\n\u2022PR.AA-05.02\n\u2022PR.AA-05.04", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.04"}, {"name": "comment", "value": "This diagnostic statement includes implementation of controls for third-party access to an organization\u2019s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks. "}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Password Guessing through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing strong encryption keys and limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to guess credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Password Guessing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1110.003", "score": 7, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.AA-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-03.01\n\u2022PR.AA-05.02\n\u2022PR.AA-05.04", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.04"}, {"name": "comment", "value": "This diagnostic statement includes implementation of controls for third-party access to an organization\u2019s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks. "}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Password Spraying through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to brute force credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Password Spraying through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1110.004", "score": 7, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.AA-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-03.01\n\u2022PR.AA-05.02\n\u2022PR.AA-05.04", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.04"}, {"name": "comment", "value": "This diagnostic statement includes implementation of controls for third-party access to an organization\u2019s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks. "}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Credential Stuffing through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to brute force credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Credential Stuffing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1651", "score": 6, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.09\n\u2022DE.CM-03.03\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Administration Command through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Administration Command through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. To help with mitigating this technique, consider limiting the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations."}]}, {"techniqueID": "T1648", "score": 2, "comment": " Related to: \n \u2022PR.IR-01.05\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Serverless Execution through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1110", "score": 8, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.AA-05.04\n\u2022PR.AA-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Brute Force through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to brute force credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.04"}, {"name": "comment", "value": "This diagnostic statement includes implementation of controls for third-party access to an organization\u2019s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks. "}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Brute Force through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1606.002", "score": 6, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-01.06\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against SAML Tokens through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against SAML Tokens through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against SAML Tokens through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1606", "score": 9, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.01\n\u2022DE.CM-03.03\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Forge Web Credentials through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Forge Web Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Forge Web Credentials through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Forge Web Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1601.002", "score": 8, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-03.01\n\u2022EX.MM-01.01\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Downgrade System Image through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Downgrade System Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Downgrade System Image through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify the system image."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Downgrade System Image through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch system images."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "EX.MM-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for the implementation of procedures for management of third party products such as vendor provided digitally signed operating system images to validate the integrity of the software used on their platform."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Downgrade System Image through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1601.001", "score": 8, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-03.01\n\u2022EX.MM-01.01\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Patch System Image through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Patch System Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Patch System Image through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify the system image"}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Patch System Image through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch system images."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "EX.MM-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for the implementation of procedures for management of third party products such as vendor provided digitally signed operating system images to validate the integrity of the software used on their platform."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Patch System Image through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1601", "score": 10, "comment": " Related to: \n \u2022DE.CM-09.03\n\u2022PR.PS-01.07\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.01\n\u2022PR.AA-03.01\n\u2022EX.MM-01.01\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Modify System Image through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Modify System Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.03"}, {"name": "comment", "value": "This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege"}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Modify System Image through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify the system image."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Modify System Image through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch system images."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "EX.MM-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for the implementation of procedures for management of third party products such as vendor provided digitally signed operating system images to validate the integrity of the software used on their platform."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Modify System Image through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1569.002", "score": 2, "comment": " Related to: \n \u2022PR.IR-01.05\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Service Execution through the use of privileged account management and the use of multi-factor authentication."}]}, {"techniqueID": "T1569", "score": 4, "comment": " Related to: \n \u2022PR.IR-01.05\n\u2022DE.CM-06.02\n\u2022PR.AA-01.01\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against System Services through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against System Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against System Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1563.001", "score": 7, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.05\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.PS-01.06\n\u2022PR.AA-05.03\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against SSH Hijacking through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against SSH Hijacking through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the SSH Hijacking technique, consider that SSH key pairs possess strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against SSH Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the SSH Hijacking technique, consider that SSH key pairs possess strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected. "}]}, {"techniqueID": "T1558.003", "score": 8, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.PS-01.05\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.PS-01.06\n\u2022PR.AA-05.03\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Kerberoasting through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Kerberoasting through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with kerberoasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Steal or Forge Kerberos Tickets: Kerberoasting through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to perform Kerbeoasting."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Kerberoasting through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with kerberoasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible."}]}, {"techniqueID": "T1558.002", "score": 8, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.PS-01.05\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.PS-01.06\n\u2022PR.AA-05.03\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Silver Ticket through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Silver Ticket through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with silver tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Steal or Forge Kerberos Tickets: Silver Ticket through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, especially for known services such as MSSQL etc., limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge kerberos tickets."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Silver Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with silver tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible."}]}, {"techniqueID": "T1558.001", "score": 5, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.03\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Golden Ticket through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Golden Ticket through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Golden Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1558", "score": 12, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.PS-01.05\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.PS-01.06\n\u2022PR.AA-05.03\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, especially for Kerberos authentication process, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge kerberos tickets."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and abusing Kerberos by stealing tickets to enforce unauthorized access. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and abusing Kerberos by stealing tickets to enforce unauthorized access. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible."}]}, {"techniqueID": "T1556.007", "score": 7, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Hybrid Identity through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Hybrid Identity through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use hybrid identities."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Hybrid Identity through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1556.005", "score": 4, "comment": " Related to: \n \u2022PR.IR-01.05\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Reversible Encryption through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Reversible Encryption through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1556.003", "score": 5, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Pluggable Authentication Modules through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Pluggable Authentication Modules through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in PAM modules and its authentication process, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify the PAM processes."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Pluggable Authentication Modules through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1556.004", "score": 8, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Network Device Authentication through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Network Device Authentication through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch network device authentication processes in those system images."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Network Device Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1543.002", "score": 7, "comment": " Related to: \n \u2022DE.CM-03.03\n\u2022DE.CM-09.01\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Systemd Service through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Systemd Service through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Systemd Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1543", "score": 11, "comment": " Related to: \n \u2022DE.CM-09.03\n\u2022PR.PS-01.01\n\u2022DE.CM-03.03\n\u2022DE.CM-09.01\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-01.02\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Create or Modify System Process through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Create or Modify System Process through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.03"}, {"name": "comment", "value": "This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Create or Modify System Process through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Create or Modify System Process through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1547.006", "score": 9, "comment": " Related to: \n \u2022PR.PS-01.08\n\u2022PR.PS-01.01\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-05.01\n\u2022PR.IR-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Kernel Modules and Extensions through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.01"}, {"name": "comment", "value": "Antivirus/Antimalware software should be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding or obfuscating its contents on the system."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.08"}, {"name": "comment", "value": "This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization\u2019s network and resources."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Kernel Modules and Extensions through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Kernel Modules and Extensions through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1548.002", "score": 8, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-02.01\n\u2022PR.IR-01.06\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Bypass User Account Control through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Bypass User Account Control through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating Windows to the latest version and patch level provides the latest protective measures against UAC bypass."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Abuse Elevation Control Mechanism: Bypass User Account Control through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Bypass User Account Control through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1548.003", "score": 8, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.01\n\u2022PR.IR-01.06\n\u2022DE.CM-03.03\n\u2022PR.IR-01.05\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Sudo and Sudo Caching through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Sudo and Sudo Caching through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Abuse Elevation Control Mechanism: Sudo and Sudo Caching through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuraiton of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}]}, {"techniqueID": "T1548.006", "score": 5, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-01.06\n\u2022DE.CM-03.03\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against TCC Manipulation through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against TCC Manipulation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1548", "score": 16, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022DE.CM-06.02\n\u2022ID.AM-08.03\n\u2022PR.PS-05.02\n\u2022PR.PS-01.01\n\u2022PR.PS-02.01\n\u2022DE.CM-03.03\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.03\n\u2022PR.AA-01.02\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022PR.AA-04.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Abuse Elevation Control Mechanism through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Abuse Elevation Control Mechanism through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-04.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Abuse Elevation Control Mechanism through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts such as removing accounts from the Adminstrators group, access control mechanisms, and auditing the attribution logs provides some protection against adversaries attempting to abuse the elevation control mechanism."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, performing regular software updates is recommended to help mitigate exploitation risk via abuse of elevation control mechanisms."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Abuse Elevation Control Mechanism through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems). Minimize permissions and access for service accounts to mitigate this technique."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from being able to manipulate mechanisms to gain access to user's higher-level permissions and control elevated privileges. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from being able to manipulate mechanisms to gain access to user's higher-level permissions and control elevated privileges. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Abuse Elevation Control Mechanism through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1484.002", "score": 6, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.01\n\u2022PR.AA-05.03\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Trust Modification through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Trust Modification through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Use the principal of least privilege and protect administrative access to domain trusts and identity tenants."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Protect administrative access to domain trusts and identity tenants to mitigate this technique."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Trust Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1484.001", "score": 2, "comment": " Related to: \n \u2022PR.IR-01.05\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Group Policy Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1484", "score": 6, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.01\n\u2022PR.AA-05.03\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Restrict administrative privileges to mitigate this technique."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Domain or Tenant Policy Modification through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Domain or Tenant Policy Modification through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Domain or Tenant Policy Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1550", "score": 11, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.PS-06.07\n\u2022PR.PS-06.01\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01\n\u2022DE.CM-01.05\n\u2022PR.DS-02.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement provides for the implementation of secure development practices, such as implementing token binding strategies which can help prevent malicious use of application access tokens."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Use Alternate Authentication Material through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Use Alternate Authentication Material through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.DS-02.01"}, {"name": "comment", "value": "This diagnostic statement provide protection from adversaries that may possibly attack via alternate authentication methods. Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Use Alternate Authentication Material through the use of revocation of keys and key management. Employing key protection strategies for key material used for identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to use alternate authentication material."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement provides for implementing tools and measures for such as allowing/denying types of third-party applications which can help prevent adversary use of alternate authentication material."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Use Alternate Authentication Material through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against Use Alternate Authentication Material through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1542.001", "score": 9, "comment": " Related to: \n \u2022DE.CM-09.03\n\u2022DE.CM-09.02\n\u2022PR.PS-02.01\n\u2022PR.IR-01.06\n\u2022DE.CM-09.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against System Firmware through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against System Firmware through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.02"}, {"name": "comment", "value": "This diagnostic statement provides protection from System Firmware through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.03"}, {"name": "comment", "value": "This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching the BIOS and EFI as necessary helps to prevent adversaries from modifying system firmware."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from System Firmware through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify firmware and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1542.003", "score": 5, "comment": " Related to: \n \u2022PR.IR-01.06\n\u2022DE.CM-09.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Bootkit through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Bootkit through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Bootkit through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1599.001", "score": 8, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.03\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Network Address Translation Traversal through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Network Address Translation Traversal through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Network Address Translation Traversal through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes (including multi-factor authentication or MFA for network devices using TACACS+/RADIUS), limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to perform Network Address Translation Traversal."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Network Address Translation Traversal through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Network Address Translation Traversal through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Network Address Translation Traversal through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1599", "score": 10, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.IR-04.01\n\u2022DE.CM-01.03\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.03\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Network Boundary Bridging through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Network Boundary Bridging through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Network Boundary Bridging by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Network Boundary Bridging through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes (including multi-factor authentication or MFA for network devices using TACACS+/RADIUS), limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to perform Network Boundary Bridging."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Network Boundary Bridging through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Network Boundary Bridging through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Network Boundary Bridging through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1555.006", "score": 3, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022DE.CM-06.02\n\u2022PR.IR-01.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Secrets Management Stores through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Secrets Management Stores through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}]}, {"techniqueID": "T1552.002", "score": 5, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Credentials in Registry through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Credentials in Registry through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Credentials in Registry through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1546.003", "score": 4, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022PR.AA-01.01\n\u2022PR.IR-01.06\n\u2022PR.IR-01.05", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Windows Management Instrumentation Event Subscription through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Windows Management Instrumentation Event Subscription through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1505.001", "score": 4, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022PR.IR-01.06\n\u2022DE.CM-09.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against SQL Stored Procedures through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against SQL Stored Procedures through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from SQL Stored Procedures through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1505.002", "score": 4, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022PR.IR-01.06\n\u2022DE.CM-09.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Transport Agent through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Transport Agent through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Transport Agent through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1200", "score": 7, "comment": " Related to: \n \u2022PR.IR-01.04\n\u2022PR.DS-01.03\n\u2022PR.IR-01.06\n\u2022PR.IR-01.03\n\u2022DE.CM-01.04\n\u2022PR.AA-05.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protection from hardware additions through the use of tools to detect and block the use of unauthorized or unknown devices and accessories by endpoint security configuration and monitoring."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.03"}, {"name": "comment", "value": "This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Establish network access control policies, such as using device certificates and the 802.1x standard. Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Hardware Additions through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Hardware Additions through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1134.002", "score": 6, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.AA-05.01\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Create Process with Token through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Create Process with Token through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Create Process with Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1134.001", "score": 6, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.AA-05.01\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Token Impersonation/Theft through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Token Impersonation/Theft through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Token Impersonation/Theft through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1134.003", "score": 6, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.AA-05.01\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Make and Impersonate Token through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Make and Impersonate Token through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Make and Impersonate Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1610", "score": 6, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.01\n\u2022PR.AA-05.01\n\u2022PR.IR-01.02\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversary deployment of a container."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation to deny direct remote access to internal systems externally provides protection against adversaries attempting to deploy containers."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Deploy Container through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Deploy Container through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Deploy Container through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1495", "score": 9, "comment": " Related to: \n \u2022DE.CM-09.03\n\u2022ID.RA-01.03\n\u2022DE.CM-09.02\n\u2022PR.PS-02.01\n\u2022PR.IR-01.06\n\u2022DE.CM-09.01\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Firmware Corruption through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Firmware Corruption through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.02"}, {"name": "comment", "value": "This diagnostic statement provides protection from Firmware Corruption through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor."}, {"divider": true}, {"name": "control", "value": "ID.RA-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.03"}, {"name": "comment", "value": "This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, patching the BIOS and other firmware can help prevent adversaries from overwriting or corrupting firmware."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Firmware Corruption through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify firmware and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1137.005", "score": 3, "comment": " Related to: \n \u2022PR.PS-02.01\n\u2022PR.PS-05.02\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started. "}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. An example of this is installing patches Microsoft has released to help to address abuse of Microsoft Outlook rules."}]}, {"techniqueID": "T1137", "score": 6, "comment": " Related to: \n \u2022PR.PS-05.02\n\u2022PR.PS-01.01\n\u2022PR.PS-02.01\n\u2022PR.PS-01.02\n\u2022PR.PS-01.03\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started. "}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, Microsoft has released several patches to help address leveraging of Microsoft Office-based applications for persistence between startups. "}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Office Application Startup through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of Office software and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1137.003", "score": 3, "comment": " Related to: \n \u2022PR.PS-02.01\n\u2022PR.PS-05.02\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started. "}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, exploitation via Outlook Forms can be mitigated by applying Microsoft KB4011091 which disables custom forms by default."}]}, {"techniqueID": "T1542.002", "score": 4, "comment": " Related to: \n \u2022DE.CM-09.03\n\u2022DE.CM-09.02\n\u2022EX.DD-04.01\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.02"}, {"name": "comment", "value": "This diagnostic statement provides protection from Component Firmware through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.03"}, {"name": "comment", "value": "This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates."}, {"divider": true}, {"name": "control", "value": "EX.DD-04.01"}, {"name": "comment", "value": "This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks."}]}, {"techniqueID": "T1137.001", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1137.002", "score": 4, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-05.02\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Office Test through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1137.004", "score": 3, "comment": " Related to: \n \u2022PR.PS-02.01\n\u2022PR.PS-05.02\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, exploitation via Outlook Home Page can be prevented by applying Microsoft KB4011162 to systems, which removes the legacy Home Page feature."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started. "}]}, {"techniqueID": "T1137.006", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1055.001", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1055.002", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1055.003", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1055.004", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1055.005", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1055.008", "score": 2, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Ptrace System Calls through the use of privileged account management and the use of multi-factor authentication."}]}, {"techniqueID": "T1055.009", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1055", "score": 2, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Process Injection through the use of privileged account management and the use of multi-factor authentication."}]}, {"techniqueID": "T1055.012", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1055.013", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1055.014", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1053", "score": 6, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Scheduled Task/Job through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Scheduled Task/Job through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System including running of scheduled tasks as authenticated user instead of SYSTEM and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Scheduled Task/Job through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1552.003", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "TThis diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Unsecured Credentials: Bash History through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}]}, {"techniqueID": "T1003.002", "score": 5, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.01\n\u2022PR.AA-01.01\n\u2022PR.PS-01.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Security Account Manager through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from OS Credential Dumping: Security Account Manager through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Security Account Manager through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1003.005", "score": 5, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.01\n\u2022PR.AA-01.01\n\u2022PR.PS-01.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "TThis diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Cached Domain Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from OS Credential Dumping: Cached Domain Credentials through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Cached Domain Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1563.002", "score": 13, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.01\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.05\n\u2022PR.IR-01.02\n\u2022PR.AA-05.03\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against RDP Hijacking through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against RDP Hijacking through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Remote Service Session Hijacking: RDP Hijacking through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Blocking network traffic that is not necessary can mitigate, or at least alleviate, use of remote desktop to move laterally in an environment."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit access can prevent RDP hijacking."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against RDP Hijacking through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against RDP Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against RDP Hijacking through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1053.002", "score": 6, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against At through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Scheduled Task/Job: At through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System including running of scheduled tasks as authenticated user instead of SYSTEM and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against At through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1053.005", "score": 6, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Scheduled Task through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Scheduled Task/Job: Scheduled Task through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System including running of scheduled tasks as authenticated user instead of SYSTEM and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Scheduled Task through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1562.003", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Impair Defenses: Impair Command History Logging through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1490", "score": 7, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.DS-11.01\n\u2022PR.PS-01.01\n\u2022ID.IM-02.06\n\u2022PR.AA-01.01\n\u2022PR.PS-01.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Inhibit System Recovery through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "PR.DS-11.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from adversaries that try to remove built in data and/or turn off services that are used to help with the recovery of corrupted systems. Ensuring backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery is a way to deny adversaries access to available backup and recovery options"}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Inhibit System Recovery through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries may attempt to hinder the recovery of a compromised system."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Inhibit System Recovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1036.007", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Masquerading: Double File Extension through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1556", "score": 14, "comment": " Related to: \n \u2022DE.CM-09.03\n\u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.PS-01.01\n\u2022DE.CM-03.03\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-03.01\n\u2022PR.AA-01.02\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Modify Authentication Process through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Modify Authentication Process through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Modify Authentication Process through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Modify Authentication Process through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify credentials."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.03"}, {"name": "comment", "value": "This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Modify Authentication Process through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System (including only allowing valid DLLs, secure policies) and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify authentication processes."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Modify Authentication Process through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1556.002", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Modify Authentication Process: Password Filter DLL through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System (including only allowing valid DLLs, secure policies) and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1556.008", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Modify Authentication Process: Network Provider DLL through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System (including only allowing valid DLLs, secure policies) and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1135", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Network Share Discovery through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1003", "score": 11, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.PS-01.01\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022PR.AA-03.01\n\u2022PR.AA-01.02\n\u2022PR.PS-01.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against OS Credential Dumping through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against OS Credential Dumping through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from OS Credential Dumping through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against OS Credential Dumping through the use of revocation of keys and key management. Employing key protection strategies for key material used in protection of OS credential backups, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to obtain credentials from OS credential backups."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against OS Credential Dumping through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1003.001", "score": 8, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022PR.PS-01.01\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022PR.AA-03.01\n\u2022PR.PS-01.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against LSASS Memory through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against LSASS Memory through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from OS Credential Dumping: LSASS Memory through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against OS Credential Dumping: LSASS Memory through the use of revocation of keys and key management. Employing key protection strategies for key material used for protecting integrity of boot firmware, system images, and using Hardware Security Modules such as TPMs to store those keys, along with use of Credential Guard provides protection against adversaries trying to perform OS Credential dumping of LSASS memory."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against LSASS Memory through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1197", "score": 8, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022PR.AA-01.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.02\n\u2022PR.AA-01.02\n\u2022PR.PS-01.02\n\u2022PR.PS-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from BITS Jobs through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to to only allow legitimate BITS traffic can mitigate adversary abuse of BITS Jobs."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against BITS Jobs through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against BITS Jobs through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against BITS Jobs through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1092", "score": 4, "comment": " Related to: \n \u2022PR.DS-01.03\n\u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.03"}, {"name": "comment", "value": "This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Communication Through Removable Media through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}]}, {"techniqueID": "T1543.003", "score": 6, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022DE.CM-03.03\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022PR.PS-01.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Windows Service through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Create or Modify System Process: Windows Service through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Windows Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1546.008", "score": 6, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022PR.IR-01.06\n\u2022PR.IR-01.03\n\u2022PR.PS-01.02\n\u2022PR.PS-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Accessibility Features through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Accessibility Features through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Accessibility Features through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1011", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Exfiltration Over Other Network Medium through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1011.001", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1564.002", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Hide Artifacts: Hidden Users through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1574.006", "score": 4, "comment": " Related to: \n \u2022PR.PS-01.08\n\u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Hijack Execution Flow: Dynamic Linker Hijacking through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1087.002", "score": 4, "comment": " Related to: \n \u2022PR.AA-02.01\n\u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Account Discovery: Domain Account through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}]}, {"techniqueID": "T1666", "score": 4, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.AA-01.01\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Modify Cloud Resource Hierarchy through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations for Cloud platforms and integrity checking can help protect against adversaries attempting to compromise and modify cloud configurations."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Modify Cloud Resource Hierarchy through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1566.002", "score": 7, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022PR.AA-03.03\n\u2022PR.AA-01.01\n\u2022PR.PS-01.02\n\u2022PR.PS-05.03\n\u2022PR.PS-01.03\n\u2022DE.CM-01.05", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious link. "}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Phishing through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, blocking of non-essential sites or attachment types, encryption of credential data, and integrity checking can help protect against adversaries attempting to access systems"}, {"divider": true}, {"name": "control", "value": "PR.PS-05.03"}, {"name": "comment", "value": "Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Spearphishing Link through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1598", "score": 5, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022PR.AA-03.03\n\u2022PR.PS-01.02\n\u2022PR.PS-05.03\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send phishing messages through the form of emails, instant messages, etc. to gain sensitive information."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Phishing for Information through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, encryption of credential data, and integrity checking can help protect against adversaries attempting to gather information."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.03"}, {"name": "comment", "value": "Certain software configuration techniques can be utilized to detect and isolate spearphishing messages found with malicious attachments."}]}, {"techniqueID": "T1598.002", "score": 4, "comment": " Related to: \n \u2022PR.AA-03.03\n\u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious attachment to gain elicit sensitive information."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Phishing for Information: Spearphishing Attachment through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, external email tracking, encryption of credential data, and integrity checking can help protect against adversaries attempting to gather information."}]}, {"techniqueID": "T1598.003", "score": 5, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022PR.AA-03.03\n\u2022PR.PS-01.02\n\u2022PR.PS-05.03\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious link to gain elicit sensitive information. "}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Phishing for Information: Spearphishing Link through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, web filtering, encryption of credential data, and integrity checking can help protect against adversaries attempting to gather information."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.03"}, {"name": "comment", "value": "Certain software configuration techniques can be utilized to detect and isolate spearphishing messages found with malicious attachments. Email authentication mechanisms allow malicious links to be filtered, detected and blocked, enabling users not to "}]}, {"techniqueID": "T1539", "score": 10, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.PS-01.01\n\u2022PR.PS-02.01\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022PR.AA-03.01\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022DE.CM-01.05", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Steal Web Session Cookie through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Steal Web Session Cookie through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Regularly updating web browsers, password managers, and related software to the latest versions reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or steal web session cookies."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Steal Web Session Cookie through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Baseline security configuration including the automated deletion of cookies can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Steal Web Session Cookie through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multifactor authentication in authentication processes for web applications using cookies, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to steal session cookies."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement provides for implementing tools and measures for web-based content and browser security settings that can help prevent session cookie theft."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Steal Web Session Cookie through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1553", "score": 5, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022PR.IR-01.06\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Subvert Trust Controls through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Subvert Trust Controls through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to subvert trust controls."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1553.004", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Subvert Trust Controls: Install Root Certificate through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration including Windows Group Policy or Key Pinning and integrity checking can help protect against adversaries attempting to compromise and modify certificate configurations."}]}, {"techniqueID": "T1537", "score": 12, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.PS-01.01\n\u2022DE.CM-09.01\n\u2022PR.IR-01.03\n\u2022PR.DS-01.02\n\u2022PR.AA-01.01\n\u2022PR.IR-01.02\n\u2022PR.AA-01.02\n\u2022PR.PS-01.02\n\u2022PR.PS-01.03\n\u2022PR.DS-10.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Transfer Data to Cloud Account through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Transfer Data to Cloud Account through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.02"}, {"name": "comment", "value": "The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Transfer Data to Cloud through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that enforce data sharing restrictions to the cloud and integrity checking can help protect against adversaries attempting to transfer data to a cloud account."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing network-based filtering restrictions can mitigate data transfers to untrusted VPCs."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Transfer Data to Cloud Account through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Transfer Data to Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Transfer Data to Cloud Account through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1535", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Unused/Unsupported Cloud Regions through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1550.004", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Web Session Cookie through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Baseline security configuration including the automated deletion of cookies can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1548.001", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Abuse Elevation Control Mechanism: Setuid and Setgid through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}]}, {"techniqueID": "T1087", "score": 5, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022PR.AA-01.01\n\u2022PR.AA-01.02\n\u2022PR.PS-01.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Account Discovery through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Account Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1087.001", "score": 4, "comment": " Related to: \n \u2022PR.AA-02.01\n\u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Account Discovery: Local Account through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}]}, {"techniqueID": "T1559.002", "score": 4, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-05.02\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Inter-Process Communication: Dynamic Data Exchange through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1543.005", "score": 6, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.AA-01.02\n\u2022PR.PS-01.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Create or Modify System Process: Container Service through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Container Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1555.005", "score": 7, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022PR.PS-02.01\n\u2022PR.AA-01.01\n\u2022PR.AA-03.01\n\u2022PR.AA-01.02\n\u2022PR.PS-01.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, regularly updating web browsers, password managers, and related software reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Credentials from Password Stores: Password Managers through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include secure password storage policies, and keeping system images and software up to date can help protect against adversaries attempting to leverage information repositories."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Password Managers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1213", "score": 14, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.PS-01.09\n\u2022PR.PS-01.01\n\u2022PR.PS-01.05\n\u2022PR.AA-01.01\n\u2022PR.DS-01.01\n\u2022PR.PS-01.06\n\u2022PR.AA-03.01\n\u2022PR.AA-01.02\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022PR.DS-10.01\n\u2022PR.AA-04.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Data from Information Repositories through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.AA-04.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Data from Information Repositories through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to access sensitive data in information repositories."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.01"}, {"name": "comment", "value": "This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to data from information repositories, encrypt data stored at rest in databases."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Data from Information Repositories through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include data retention policies to periodically archive and/or delete data and integrity checking can help protect against adversaries attempting to leverage information repositories."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Code Repositories through the use of revocation of keys and key management. Employing key protection strategies such as removing keys from information repositories, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from code repositories."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement outlines several mechanisms that organizations can use to protect endpoint systems with virtualization technologies, focusing primarily on hypervisor hardening. By implementing hypervisor hardening measures\u2014such as requiring multi-factor authentication to restrict access to resources and information stored in the cloud from various virtual machines, organizations may help prevent data leakage caused by adversaries exploiting VM instances."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Data from Information Repositories through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to data from information repositories, encrypt data stored at rest in databases."}]}, {"techniqueID": "T1213.001", "score": 3, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Confluence through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1213.002", "score": 3, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Sharepoint through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1213.003", "score": 5, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.PS-01.01\n\u2022PR.AA-01.01\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Code Repositories through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Code Repositories through the use of revocation of keys and key management. Employing key protection strategies such as removing keys from code repositories, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from code repositories."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Code Repositories through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1213.004", "score": 7, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022ID.AM-08.03\n\u2022PR.PS-01.01\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022PR.PS-01.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Customer Relationship Management Software through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Data from Information Repositories: Customer Relationship Management Software through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include data retention policies to periodically archive and/or delete data and integrity checking can help protect against adversaries attempting to leverage information repositories."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from leveraging sensitive (PII) data from customer relationship management software by sending phishing emails or targeting organization's customers in ways that enable financial gain. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from leveraging sensitive (PII) data from customer relationship management software by sending phishing emails or targeting organization's customers in ways that enable financial gain. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Customer Relationship Management Software through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1213.005", "score": 2, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}]}, {"techniqueID": "T1606.001", "score": 4, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022DE.CM-03.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Web Cookies through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Baseline security configuration including the automated deletion of cookies can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1562", "score": 9, "comment": " Related to: \n \u2022DE.CM-09.03\n\u2022PR.PS-01.09\n\u2022PR.PS-01.01\n\u2022PR.AA-01.01\n\u2022PR.AA-05.01\n\u2022PR.AA-01.02\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Impair Defenses through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.03"}, {"name": "comment", "value": "This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper Registry permissions are in place to prevent unnecessary users and adversaries from disabling or interfering with security/logging services."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Impair Defenses through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. Hypervisor hardening can limit the ability of virtual machines to disable or modify security tools or configurations within the host system, making it harder for attackers to evade detection."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Impair Defenses through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1562.006", "score": 4, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.AA-01.01\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Impair Defenses: Indicator Blocking through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Indicator Blocking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1562.009", "score": 5, "comment": " Related to: \n \u2022PR.PS-01.01\n\u2022PR.AA-05.01\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Safe Mode Boot through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Impair Defenses: Safe Mode Boot through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1562.010", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Impair Defenses: Downgrade Attack through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1559", "score": 9, "comment": " Related to: \n \u2022PR.PS-05.02\n\u2022PR.PS-01.01\n\u2022PR.IR-01.06\n\u2022PR.PS-06.07\n\u2022PR.PS-06.01\n\u2022PR.AA-05.03\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Set service account access restrictions to grant only the minimum necessary permissions to mitigate abuse of inter-process communication (IPC) mechanisms."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement protects inter-process communication mechanisms from abuse through secure development practices, such as enabling the Hardened Runtime capability when developing applications."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Inter-Process Communication through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Inter-Process Communication through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against Inter-Process Communication through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1552", "score": 18, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.PS-01.01\n\u2022PR.PS-01.05\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.05\n\u2022PR.PS-01.06\n\u2022PR.AA-03.01\n\u2022PR.IR-01.02\n\u2022PR.PS-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.02"}, {"name": "comment", "value": "This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Unsecured Credentials through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Unsecured Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the Unsecured Credentials technique, best practice dictates that when possible, store keys on separate cryptographic hardware instead of on the local system to mitigate data theft of credentials stored in unsecure locations."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Unsecured Credentials through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Unsecured Credentials through the use of revocation of keys and key management. Employing key protection strategies for key material such as private keys, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise credentials."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network filtering, defense-in-depth, and access isolation principles provides protection against adversaries trying to obtain unsecured credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions that limit network access and communications with services can prevent adversaries from finding stored credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Unsecured Credentials through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Unsecured Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the Unsecured Credentials technique, best practice dictates that when possible, store keys on separate cryptographic hardware instead of on the local system to mitigate data theft of credentials stored in unsecure locations. "}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Unsecured Credentials through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1563", "score": 11, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.05\n\u2022PR.AA-01.02\n\u2022PR.AA-05.03\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Service Session Hijacking through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Service Session Hijacking through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Remote Service Session Hijacking through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Blocking network traffic that is not necessary can mitigate, or at least alleviate, use of remote services to move laterally in an environment."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Service Session Hijacking through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Service Session Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Service Session Hijacking through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1190", "score": 14, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-06.05\n\u2022PR.PS-01.08\n\u2022PR.PS-01.09\n\u2022PR.PS-05.02\n\u2022ID.RA-01.03\n\u2022PR.PS-02.01\n\u2022DE.CM-03.03\n\u2022PR.IR-01.06\n\u2022PR.IR-01.01\n\u2022PR.AA-05.03\n\u2022PR.AA-05.02\n\u2022EX.DD-04.01\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Use least privilege for service accounts to limit what permissions the exploited process gets on the rest of the system."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Exploit Public-Facing Application through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Exploit Public-Facing Application through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.05"}, {"name": "comment", "value": "This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of."}, {"divider": true}, {"name": "control", "value": "ID.RA-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of a weakness in an Internet-facing host or system to initially access a network."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "EX.DD-04.01"}, {"name": "comment", "value": "This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring the use of vulnerability scanning of third-party application development to scan for common vulnerabilities like SQL injection or cross-site scripting (XSS), including the use of regular scans post major changes to identify newly introduced vulnerabilities."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Segment externally facing servers and services to mitigate exploitation of public-facing applications."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. Application isolation will limit what other processes and system features the exploited target can access, thus aiding with mitigations related to exploiting public facing applications."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Exploit Public-Facing Application through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1543.004", "score": 2, "comment": " Related to: \n \u2022DE.CM-03.03\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Launch Daemon through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1098.004", "score": 5, "comment": " Related to: \n \u2022PR.PS-01.05\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.PS-01.06\n\u2022PR.AA-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the SSH Authorized Keys technique, restricting user and application access to the authorized_keys file can be a mitigating factor for adversaries attempting to modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against SSH Authorized Keys through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the SSH Authorized Keys technique, restricting user and application access to the authorized_keys file can be a mitigating factor for adversaries attempting to modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. "}]}, {"techniqueID": "T1098.005", "score": 6, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.AA-02.01\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Device Registration through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to register devices."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Device Registration through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1098.007", "score": 1, "comment": " Related to: \n \u2022DE.CM-03.03", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}]}, {"techniqueID": "T1485", "score": 8, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.IR-03.01\n\u2022PR.DS-11.01\n\u2022PR.IR-04.02\n\u2022PR.PS-01.09\n\u2022ID.IM-02.06\n\u2022PR.AA-01.01\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Data Destruction through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Data Destruction through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.DS-11.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from adversaries that may try to destroy data and files on systems or on a network/network resource. Implementing data backup or disaster recovery plan can be used to restore organizational data."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Data Destruction through the use of revocation of keys and key management used in multi-factor authentication. Employing key protection strategies, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to destroy data."}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to destroy data and/or files on systems found within a large network."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.02"}, {"name": "comment", "value": "This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by destroying data files. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information. Additionally, the use of multi-factor authentication serves as an effective measure to restrict unauthorized access to credentials, thereby reducing the risk of data destruction."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. They may delete virtual machines from on-prem virtualized environments. For example, implementing multi-factor authentication (MFA) delete for cloud storage resources, such as AWS S3 buckets, to prevent unauthorized deletion of critical data and infrastructure."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Data Destruction through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1485.001", "score": 4, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.AA-01.01\n\u2022ID.IM-02.06\n\u2022PR.DS-11.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Lifecycle-Triggered Deletion through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "PR.DS-11.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from adversaries that may modify lifecycle policies of cloud storage bucket to destroy all objects stored within. Implementing data backup or disaster recovery plan can be used to restore organizational data."}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries may attempt to modify policies of cloud storage and data within it."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Lifecycle-Triggered Deletion through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1486", "score": 4, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.IR-04.02\n\u2022ID.IM-02.06\n\u2022PR.DS-11.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Data Encrypted for Impact through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "PR.DS-11.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from adversaries that may encrypt data on target systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. Implementing data backup or disaster recovery plan can be used to restore organizational data.  Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery."}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries may attempt to target data on encrypted systems by using ransomware."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.02"}, {"name": "comment", "value": "This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to wiping disk data on system and network resources. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information."}]}, {"techniqueID": "T1491", "score": 2, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022ID.IM-02.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Defacement through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement emphasizes the importance of facilitating data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, aimed at mitigating the risks posed by potential adversarial attempts to compromise or manipulate content within an enterprise network."}]}, {"techniqueID": "T1491.001", "score": 2, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022ID.IM-02.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Internal Defacement through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement emphasizes the importance of facilitating data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, aimed at mitigating the risks posed by potential adversarial attempts to compromise or manipulate content internally within an organization's network."}]}, {"techniqueID": "T1491.002", "score": 2, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022ID.IM-02.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against External Defacement through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement emphasizes the importance of facilitating data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, aimed at mitigating the risks posed by potential adversarial attempts to compromise or manipulate organization's content and systems externally by targeting users through messages or propaganda."}]}, {"techniqueID": "T1561", "score": 4, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.IR-04.02\n\u2022ID.IM-02.06\n\u2022PR.DS-11.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Disk Wipe through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "PR.DS-11.01"}, {"name": "comment", "value": "This diagnostic statement protects adversaries that can wipe/corrupt raw disk data on systems. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite."}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to corrupt raw disk data on systems or within networks."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.02"}, {"name": "comment", "value": "This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to render stored data on local and remote drives via encryption. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information."}]}, {"techniqueID": "T1561.001", "score": 4, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.IR-04.02\n\u2022ID.IM-02.06\n\u2022PR.DS-11.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Disk Content Wipe through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "PR.DS-11.01"}, {"name": "comment", "value": "This diagnostic statement protects adversaries that can wipe/corrupt contents of storage device data. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite."}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to erase content found on storage devices on systems or within networks."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.02"}, {"name": "comment", "value": "This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to erase contents of storage devices on systems and networks. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information."}]}, {"techniqueID": "T1561.002", "score": 4, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.IR-04.02\n\u2022ID.IM-02.06\n\u2022PR.DS-11.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Disk Structure Wipe through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "PR.DS-11.01"}, {"name": "comment", "value": "This diagnostic statement protects adversaries that can wipe/corrupt disk data structures on a hard drive. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite while targeting critical systems"}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to erase disk data structures on hard dives or within networks."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.02"}, {"name": "comment", "value": "This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to corrupt or wipe the disk data structures on a hard drive. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information."}]}, {"techniqueID": "T1020", "score": 4, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.IR-03.01\n\u2022PR.DS-10.01\n\u2022PR.IR-04.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Automated Exfiltration through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Automated Exfiltration through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against automated exfiltration."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}]}, {"techniqueID": "T1020.001", "score": 9, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022PR.IR-03.01\n\u2022ID.AM-08.03\n\u2022PR.PS-01.05\n\u2022PR.AA-01.01\n\u2022PR.DS-01.02\n\u2022PR.PS-01.06\n\u2022PR.AA-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Traffic Duplication through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.02"}, {"name": "comment", "value": "The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Automated Exfiltration: Traffic Duplication threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Automated Exfiltration: Traffic Duplication through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against traffic duplication."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement protects data from being exfiltrated from adversaries via traffic monitoring. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement protects data from being exfiltrated from adversaries via traffic monitoring. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Traffic Duplication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Automated Exfiltration: Traffic Duplication threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS."}]}, {"techniqueID": "T1005", "score": 4, "comment": " Related to: \n \u2022PR.DS-01.01\n\u2022PR.IR-03.01\n\u2022PR.DS-10.01\n\u2022PR.DS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Data from Local System through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.01"}, {"name": "comment", "value": "This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.02"}, {"name": "comment", "value": "The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}]}, {"techniqueID": "T1025", "score": 4, "comment": " Related to: \n \u2022PR.DS-01.03\n\u2022PR.IR-03.01\n\u2022PR.DS-10.01\n\u2022PR.DS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Data from Removable Media through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.03"}, {"name": "comment", "value": "This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.02"}, {"name": "comment", "value": "The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}]}, {"techniqueID": "T1052", "score": 5, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.DS-01.02\n\u2022DE.CM-01.04\n\u2022PR.DS-10.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Physical Medium through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protection from exfiltration of data via a physical medium, such as a removable drive by using tools to detect and block the use of unauthorized devices."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.02"}, {"name": "comment", "value": "The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Physical Medium through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1052.001", "score": 5, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.DS-01.02\n\u2022DE.CM-01.04\n\u2022PR.DS-10.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration over USB through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protection from exfiltration of data via a physical medium, such as a removable drive by using tools to detect and block the use of unauthorized devices."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.02"}, {"name": "comment", "value": "The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration over USB through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1567", "score": 4, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.PS-01.09\n\u2022PR.DS-10.01\n\u2022PR.IR-04.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Web Service through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}]}, {"techniqueID": "T1567.004", "score": 2, "comment": " Related to: \n \u2022PR.IR-03.01\n\u2022PR.DS-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-03.01"}, {"name": "comment", "value": "This diagnostic statement protects against Exfiltration Over Webhook through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.02"}, {"name": "comment", "value": "The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services."}]}, {"techniqueID": "T1078.003", "score": 8, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.PS-06.01\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage)."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Local Accounts through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Local Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Valid Accounts: Local Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Local Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1564.009", "score": 2, "comment": " Related to: \n \u2022PR.PS-06.07\n\u2022PR.PS-06.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against Resource Forking through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1574", "score": 9, "comment": " Related to: \n \u2022ID.RA-01.03\n\u2022PR.PS-02.01\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022PR.AA-05.01\n\u2022PR.PS-06.07\n\u2022PR.PS-06.01\n\u2022PR.PS-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement provides for secure application development processes and procedures, such as including hash values in manifest files to help prevent side-loading of malicious libraries."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Hijack Execution Flow through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "ID.RA-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly to include patches that fix DLL side-loading vulnerabilities can help mitigate execution of malicious payloads by hijacking execution flow."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Hijack Execution Flow through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Hijack Execution Flow through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against Hijack Execution Flow through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1574.002", "score": 3, "comment": " Related to: \n \u2022PR.PS-02.01\n\u2022PR.PS-06.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement provides for secure application development processes and procedures, such as including hash values in manifest files to help prevent side-loading of malicious libraries."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, applying patches that fix DLL side-loading vulnerabilities mitigates the execution of malicious payloads by side-loading DLLs."}]}, {"techniqueID": "T1559.003", "score": 2, "comment": " Related to: \n \u2022PR.PS-06.07\n\u2022PR.PS-06.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement protects inter-process communication mechanisms from abuse through secure development practices, such as enabling the Hardened Runtime capability when developing applications."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against XPC Services through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1647", "score": 2, "comment": " Related to: \n \u2022PR.PS-06.07\n\u2022PR.PS-06.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement helps protect the modification of property list files (plist files) through secure development practices, such as enabling hardened runtime."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against Plist File Modification through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1496.003", "score": 2, "comment": " Related to: \n \u2022PR.PS-06.07\n\u2022PR.PS-06.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement helps provides for secure development practices, such as implementing CAPTCHA protection on forms that send messages via SMS."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against SMS Pumping through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1593", "score": 2, "comment": " Related to: \n \u2022PR.PS-06.07\n\u2022PR.PS-06.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement provides for the use of secure development processes and procedures. This includes avoiding publishing sensitive information such as credentials and API keys when uploading to public code repositories."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against Search Open Websites/Domains through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1593.003", "score": 3, "comment": " Related to: \n \u2022PR.AA-03.01\n\u2022PR.PS-06.07\n\u2022PR.PS-06.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement provides for the use of secure development processes and procedures. This includes avoiding publishing sensitive information such as credentials and API keys when uploading to public code repositories."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against Code Repositories through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1195", "score": 10, "comment": " Related to: \n \u2022ID.RA-01.03\n\u2022PR.PS-02.01\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022PR.PS-06.07\n\u2022PR.PS-06.01\n\u2022EX.MM-01.01\n\u2022PR.PS-01.03\n\u2022EX.DD-04.01\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement provides for the use of secure development processes and procedures. This includes being cautious when selecting third-party libraries to integrate into applications."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Supply Chain Compromise through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "ID.RA-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. Scanning and addressing vulnerabilities in software dependencies can help reduce the attack surface for the organization and protect against adversaries looking for ways to access its systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Supply Chain Compromise through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Ensuring software management security standards can help protect against adversaries attempting to compromise the supply chain."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools can mitigate Supply Chain Compromise."}, {"divider": true}, {"name": "control", "value": "EX.DD-04.01"}, {"name": "comment", "value": "This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks."}, {"divider": true}, {"name": "control", "value": "EX.MM-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Supply Chain Compromise through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against Supply Chain Compromise through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1550.001", "score": 8, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.AA-01.01\n\u2022PR.DS-01.01\n\u2022PR.PS-06.07\n\u2022PR.PS-06.01\n\u2022PR.DS-02.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement provides secure application development, such as implementing token binding strategies to help prevent the malicious use of application access tokens."}, {"divider": true}, {"name": "control", "value": "PR.DS-02.01"}, {"name": "comment", "value": "This diagnostic statement provide protection from adversaries that may possibly bypass the authentication process and use stolen tokens.  Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.01"}, {"name": "comment", "value": "This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Application Access Token through the use of revocation of keys and key management. Employing key protection strategies for key material such as those used in generation or protection of application access tokens, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise application access tokens."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from being able to steal application access token by bypassing regular authentication methods and accessing restricting accounts and user credentials.  There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from being able to steal application access token by bypassing regular authentication methods and accessing restricting accounts and user credentials.  There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Application Access Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against Application Access Token through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1195.001", "score": 8, "comment": " Related to: \n \u2022ID.RA-01.03\n\u2022PR.PS-02.01\n\u2022DE.CM-09.01\n\u2022PR.PS-06.07\n\u2022PR.PS-06.01\n\u2022EX.MM-01.01\n\u2022EX.DD-04.01\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.01"}, {"name": "comment", "value": "This diagnostic statement provides for the use of secure development processes and procedures. This includes being cautious when selecting third-party libraries to integrate into applications."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Compromise Software Dependencies and Development Tools through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "ID.RA-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. Scanning and addressing vulnerabilities in software dependencies can help reduce the attack surface for the organization and protect against adversaries looking for ways to access its systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools can mitigate Supply Chain Compromise."}, {"divider": true}, {"name": "control", "value": "EX.DD-04.01"}, {"name": "comment", "value": "This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks."}, {"divider": true}, {"name": "control", "value": "EX.MM-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against Compromise Software Dependencies and Development Tools through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1574.001", "score": 3, "comment": " Related to: \n \u2022PR.PS-06.07\n\u2022DE.CM-09.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against DLL Search Order Hijacking through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against DLL Search Order Hijacking through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}, {"techniqueID": "T1574.007", "score": 1, "comment": " Related to: \n \u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity."}]}, {"techniqueID": "T1574.008", "score": 1, "comment": " Related to: \n \u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity."}]}, {"techniqueID": "T1574.009", "score": 1, "comment": " Related to: \n \u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity."}]}, {"techniqueID": "T1574.012", "score": 3, "comment": " Related to: \n \u2022PR.AA-05.01\n\u2022PR.AA-01.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys associated with COR_PROFILER."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against COR_PROFILER through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1574.013", "score": 1, "comment": " Related to: \n \u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity."}]}, {"techniqueID": "T1003.006", "score": 3, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022DE.CM-06.02\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against DCSync through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against DCSync through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against DCSync through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1003.007", "score": 3, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022DE.CM-06.02\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Proc Filesystem through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Proc Filesystem through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Proc Filesystem through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1003.008", "score": 3, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022DE.CM-06.02\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against /etc/passwd and /etc/shadow through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against /etc/passwd and /etc/shadow through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against /etc/passwd and /etc/shadow through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1040", "score": 12, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022PR.IR-01.04\n\u2022ID.AM-08.03\n\u2022PR.PS-01.05\n\u2022PR.AA-01.01\n\u2022PR.IR-01.01\n\u2022PR.DS-02.01\n\u2022PR.DS-01.01\n\u2022PR.PS-01.06\n\u2022PR.AA-05.02\n\u2022PR.DS-10.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Network Sniffing through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.DS-02.01"}, {"name": "comment", "value": "This diagnostic statement protects adversaries from being able to access data in transit over networks. Encrypting information and files by utilizing authentication protocols, such as Kerberos, can ensure web traffic that may contain credentials is protected by SSL/TLS."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.01"}, {"name": "comment", "value": "This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of network sniffing, ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Network Sniffing through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes transmitted over networks, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use network sniffing."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement protects data from being easily manipulated by adversaries due to network sniffing while authentication material is being passed over networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing measures such as denying direct access of broadcasts and multicast sniffing can prevent network sniffing attacks."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement protects data from being easily manipulated by adversaries due to network sniffing while authentication material is being passed over networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Network Sniffing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of network sniffing, ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS."}]}, {"techniqueID": "T1047", "score": 6, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-05.02\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Windows Management Instrumentation through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Windows Management Instrumentation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Windows Management Instrumentation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1053.006", "score": 3, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Systemd Timers through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Systemd Timers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1053.007", "score": 3, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022DE.CM-03.03\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Container Orchestration Job through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Container Orchestration Job through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1056", "score": 1, "comment": " Related to: \n \u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Input Capture through the use of privileged account management and the use of multi-factor authentication."}]}, {"techniqueID": "T1056.003", "score": 2, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022DE.CM-06.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Web Portal Capture through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Web Portal Capture through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}]}, {"techniqueID": "T1059.008", "score": 6, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Network Device CLI through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Network Device CLI through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Network Device CLI through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1059.009", "score": 3, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022DE.CM-06.02\n\u2022PR.IR-01.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud API through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud API through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1072", "score": 12, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022ID.RA-01.03\n\u2022PR.PS-02.01\n\u2022DE.CM-03.03\n\u2022PR.IR-01.06\n\u2022PR.IR-01.01\n\u2022PR.AA-01.01\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01\n\u2022EX.DD-04.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Software Deployment Tools through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Software Deployment Tools through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "ID.RA-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching software deployment tools and systems regularly helps prevent potential remote access through Exploitation for Privilege Escalation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Software Deployment Tools through the use of revocation of keys and key management. Employing key protection strategies for key material used in software deployment tools including signing, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to misuse software deployment tools."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "EX.DD-04.01"}, {"name": "comment", "value": "This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. The permissions required for execution of this technique vary by system configuration. Employing proper system isolation can protect critical network systems from potential exploitation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Software Deployment Tools through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1110.002", "score": 4, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022PR.PS-01.07\n\u2022PR.AA-03.01\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Password Cracking through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to brute force credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Password Cracking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1114", "score": 9, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.PS-01.05\n\u2022PR.AA-03.03\n\u2022PR.AA-01.01\n\u2022PR.PS-01.06\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Email Collection through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as MFA is recommended to minimize the risk of adversaries collecting usernames and passwords."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Email Collection through the use of revocation of keys and key management. Employing key protection strategies such as ensuring proper encryption methods and key management for those used in email along with policies for sending cryptographic material over email, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from emails."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. here may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. here may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Email Collection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages."}]}, {"techniqueID": "T1114.002", "score": 8, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.PS-01.05\n\u2022PR.AA-03.03\n\u2022PR.AA-01.01\n\u2022PR.PS-01.06\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Email Collection through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as encryption and MFA are recommended to minimize the risk of adversaries collecting user's credentials via exchange servers from within a network."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Email Collection through the use of revocation of keys and key management. Employing key protection strategies such as ensuring proper encryption methods and key management for those used in email along with policies for sending cryptographic material over email, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from emails."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. It also prevents adversaries from manipulating data via exchange server, Office 365, or Google Workspace from trying to collect sensitive information. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. It also prevents adversaries from manipulating data via exchange server, Office 365, or Google Workspace from trying to collect sensitive information. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Remote Email Collection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services."}]}, {"techniqueID": "T1134", "score": 6, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.AA-05.01\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Access Token Manipulation through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Access Token Manipulation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Access Token Manipulation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1218.007", "score": 2, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022PR.IR-01.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Msiexec through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1222", "score": 1, "comment": " Related to: \n \u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication."}]}, {"techniqueID": "T1222.001", "score": 1, "comment": " Related to: \n \u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Windows File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication."}]}, {"techniqueID": "T1222.002", "score": 1, "comment": " Related to: \n \u2022PR.AA-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Linux and Mac File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication."}]}, {"techniqueID": "T1505", "score": 8, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-06.05\n\u2022PR.IR-01.06\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022PR.AA-05.01\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Server Software Component through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Server Software Component through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Server Software Component through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.05"}, {"name": "comment", "value": "This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Server Software Component through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Server Software Component through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1505.004", "score": 4, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022PR.IR-01.06\n\u2022PR.PS-01.03\n\u2022DE.CM-09.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against IIS Components through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against IIS Components through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from IIS Components through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1525", "score": 6, "comment": " Related to: \n \u2022PR.PS-01.09\n\u2022DE.CM-09.01\n\u2022PR.AA-05.01\n\u2022EX.MM-01.01\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Implant Internal Image through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Implant Internal Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege"}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Implant Internal Image through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment.  Periodically checking the integrity of images and containers used in virtualized deployments to ensure they have not been modified to include malicious software may aid in mitigating this type of adversary technique."}, {"divider": true}, {"name": "control", "value": "EX.MM-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for the implementation of procedures for management of third party products such as ensuring cloud service providers support content trust models that require container images be signed by trusted source."}]}, {"techniqueID": "T1530", "score": 15, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.PS-01.05\n\u2022PR.AA-01.01\n\u2022PR.IR-01.03\n\u2022PR.DS-01.01\n\u2022PR.PS-01.06\n\u2022PR.IR-01.02\n\u2022PR.AA-01.02\n\u2022EX.MM-01.01\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01\n\u2022PR.DS-10.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Data from Cloud Storage through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.01"}, {"name": "comment", "value": "This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address data collection from cloud storage, encrypt data stored at rest in cloud storage. Managed encryption keys can be rotated by most providers. At a minimum, ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Data from Cloud Storage through the use of revocation of keys and key management used in multi-factor authentication. Employing key protection strategies, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to access data from cloud storage."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from collecting sensitive data from cloud storage solutions, such as Amazon S3, Azure, Storage, and Google Cloud. Permissions on cloud storage should be frequently checked and encrypting sensitive data in the cloud should be managed properly. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing IP-based restrictions for accessing cloud resources can mitigate adversary access to data in cloud storage."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Data from Cloud Storage through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "EX.MM-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for the implementation of procedures for management of third party products such as cloud storage solutions."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from collecting sensitive data from cloud storage solutions, such as Amazon S3, Azure, Storage, and Google Cloud. Permissions on cloud storage should be frequently checked and encrypting sensitive data in the cloud should be managed properly. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Data from Cloud Storage through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address data collection from cloud storage, encrypt data stored at rest in cloud storage. Managed encryption keys can be rotated by most providers. At a minimum, ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Data from Cloud Storage through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1542", "score": 11, "comment": " Related to: \n \u2022PR.PS-01.08\n\u2022DE.CM-09.02\n\u2022PR.PS-02.01\n\u2022PR.IR-01.06\n\u2022DE.CM-09.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.05\n\u2022PR.IR-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Pre-OS Boot through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Pre-OS Boot through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.02"}, {"name": "comment", "value": "This diagnostic statement provides protection from Pre-OS Boot through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching the BIOS and EFI as necessary helps prevent adversaries from abusing Pre-OS Boot mechanisms."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Pre-OS Boot through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software/firmware and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit access can mitigate adversary abuse of pre-OS boot mechanisms."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Pre-OS Boot through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Pre-OS Boot through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1546", "score": 8, "comment": " Related to: \n \u2022PR.PS-02.01\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02\n\u2022PR.PS-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Event Triggered Execution through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, performing regular software updates can mitigate potential event triggered execution exploitation risks."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Event Triggered Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Event Triggered Execution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Event Triggered Execution through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Event Triggered Execution through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1547", "score": 4, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022PR.PS-01.07\n\u2022PR.AA-01.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Boot or Logon Autostart Execution through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Boot or Logon Autostart Execution through the use of revocation of keys and key management. Employing key protection strategies for key material used for protecting integrity of boot firmware, system images, and using Hardware Security Modules such as TPMs to store those keys, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise boot or logon autostart execution."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Boot or Logon Autostart Execution through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Boot or Logon Autostart Execution through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1550.002", "score": 6, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-02.01\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.AA-05.02\n\u2022PR.DS-02.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Pass the Hash through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Pass the Hash through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.DS-02.01"}, {"name": "comment", "value": "This diagnostic statement provide protection from adversaries that may possibly utilize stolen password hashes.  Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. An example of this for Pass the Hash is to update software by applying patch KB2871997 to Windows 7 and higher systems, limiting the default access of accounts in the local administrator group."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Pass the Hash through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1550.003", "score": 5, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.AA-05.02\n\u2022PR.DS-02.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Pass the Ticket through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Pass the Ticket through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.DS-02.01"}, {"name": "comment", "value": "This diagnostic statement provide protection from adversaries that may possibly use stolen Kerberos tickets.  Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Pass the Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1552.007", "score": 11, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-04.01\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.01\n\u2022PR.IR-01.03\n\u2022PR.AA-05.01\n\u2022PR.IR-01.05\n\u2022PR.IR-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Container API through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Container API through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing secure network configuration, defense-in-depth, and access isolation principles provides protection against adversaries attempting to obtain credentials via APIs within a containers environment."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions that limit network access and communications with services can prevent adversaries from finding stored credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Container API through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Container API through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Container API through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1553.006", "score": 4, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022PR.IR-01.06\n\u2022PR.PS-01.03\n\u2022DE.CM-09.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Code Signing Policy Modification through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Code Signing Policy Modification through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Code Signing Policy Modification through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1555", "score": 6, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-02.01\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Credentials from Password Stores through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Credentials from Password Stores through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, performing regular software updates mitigates adversary exploitation of password storage locations to obtain user credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Credentials from Password Stores through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1556.001", "score": 9, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022DE.CM-03.03\n\u2022DE.CM-09.01\n\u2022PR.AA-01.01\n\u2022PR.AA-02.01\n\u2022PR.IR-01.05\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Domain Controller Authentication through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Domain Controller Authentication through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Domain Controller Authentication through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Modify Authentication Process through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify credentials."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify domain controller authentication mechanisms."}, {"divider": true}, {"name": "control", "value": "DE.CM-03.03"}, {"name": "comment", "value": "This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Domain Controller Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1559.001", "score": 4, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022PR.IR-01.06\n\u2022PR.PS-05.02\n\u2022PR.AA-05.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Component Object Model through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.03"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Set service account access restrictions to grant only the minimum necessary permissions to mitigate abuse of inter-process communication (IPC) mechanisms."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1609", "score": 11, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.IR-01.06\n\u2022PR.AA-01.01\n\u2022PR.IR-01.03\n\u2022PR.AA-05.01\n\u2022PR.IR-01.05\n\u2022PR.IR-01.02\n\u2022PR.AA-01.02\n\u2022PR.AA-05.02\n\u2022PR.AA-03.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Container Administration Command through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against Container Administration Command through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversary abuse of container administration."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Container Administration Command through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Container Administration Command through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Container Administration Command through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1611", "score": 4, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022PR.IR-01.06\n\u2022PR.PS-01.09\n\u2022PR.IR-01.05", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Escape to Host through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises.  For the Escape to Host technique, consider utilizing solutions that restricts certain system calls such as mount from the virtualized machine to the host. In Kubernetes environments, consider defining Pod Security Standards that limit container access to host process namespaces, the host network, and the host file system."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1612", "score": 7, "comment": " Related to: \n \u2022PR.PS-01.09\n\u2022PR.IR-01.03\n\u2022PR.IR-01.01\n\u2022PR.IR-01.05\n\u2022PR.IR-01.02\n\u2022PR.AA-05.02\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Build Image on Host through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Build Image on Host through the use of network segmentation, firewalls, secure network configuration, defense-in-depth and access isolation principles. Employing defense-in-depth and access isolation principles provides protection against adversaries attempting to build image on host."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. Mitigating mechanisms such as network segmentation, limiting access to resources over the network, and privileged account management may aid in limiting malicious images with direct remote access to internal systems through the use of network proxies, gateways, privileged accounts, and firewalls."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversaries from building container images on hosts."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Build Image on Host through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Build Image on Host through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1621", "score": 4, "comment": " Related to: \n \u2022PR.AA-05.02\n\u2022PR.PS-01.07\n\u2022PR.AA-01.01\n\u2022PR.IR-01.05", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.02"}, {"name": "comment", "value": "This diagnostic statement protects against Multi-Factor Authentication Request Generation through the use of privileged account management and the use of multi-factor authentication."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Multi-Factor Authentication Request Generation through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes (including multi-factor authentication or MFA), limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to bypass or generate MFA requests."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.05"}, {"name": "comment", "value": "This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Multi-Factor Authentication Request Generation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1036.001", "score": 5, "comment": " Related to: \n \u2022PR.PS-06.05\n\u2022PR.PS-05.02\n\u2022DE.CM-09.01\n\u2022PR.PS-01.03\n\u2022EX.DD-04.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Invalid Code Signature through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.05"}, {"name": "comment", "value": "This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Masquerading: Invalid Code Signature through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "EX.DD-04.01"}, {"name": "comment", "value": "This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks."}]}, {"techniqueID": "T1036.005", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022DE.CM-09.01\n\u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Match Legitimate Name or Location through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Masquerading: Match Legitimate Name or Location through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1059.002", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022DE.CM-09.01\n\u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against AppleScript through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Command and Scripting Interpreter through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining along with disallowing scripts and integrity checking can help protect against adversaries that may abuse command and script interpreters."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1127", "score": 3, "comment": " Related to: \n \u2022PR.PS-06.05\n\u2022PR.PS-01.03\n\u2022DE.CM-09.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Trusted Developer Utilities Proxy Execution through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.05"}, {"name": "comment", "value": "This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Trusted Developer Utilities Proxy Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1127.002", "score": 3, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022DE.CM-09.01\n\u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against ClickOnce through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Trusted Developer Utilities Proxy Execution: ClickOnce through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1176", "score": 3, "comment": " Related to: \n \u2022PR.PS-02.01\n\u2022DE.CM-09.01\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Browser Extensions through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, ensuring operating systems and browsers are using the most current version helps prevent adversaries from abusing Internet browser extensions or plugins."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring operating systems and software are using the most current version can mitigate risks of exploitation and/or abuse."}]}, {"techniqueID": "T1546.006", "score": 2, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022DE.CM-09.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against LC_LOAD_DYLIB Addition through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Event Triggered Execution: LC_LOAD_DYLIB Addition through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1546.013", "score": 2, "comment": " Related to: \n \u2022PR.PS-01.03\n\u2022DE.CM-09.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against PowerShell Profile through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Powershell Profile through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1547.002", "score": 1, "comment": " Related to: \n \u2022DE.CM-09.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Authentication Package through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}]}, {"techniqueID": "T1547.005", "score": 1, "comment": " Related to: \n \u2022DE.CM-09.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Security Support Provider through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}]}, {"techniqueID": "T1547.008", "score": 2, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022DE.CM-09.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against LSASS Driver through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Boot or Logon Autostart Execution: LSASS Driver through the use of revocation of keys and key management. Employing key protection strategies for key material used for protecting integrity of boot firmware, system images, and using Hardware Security Modules such as TPMs to store those keys, along with use of Credential Guard provides protection against adversaries trying to compromise boot or logon autostart execution."}]}, {"techniqueID": "T1547.013", "score": 3, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.AA-01.02\n\u2022DE.CM-09.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against XDG Autostart Entries through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against XDG Autostart Entries through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1554", "score": 5, "comment": " Related to: \n \u2022PR.PS-06.05\n\u2022DE.CM-09.01\n\u2022EX.MM-01.01\n\u2022PR.PS-01.03\n\u2022EX.DD-04.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.01"}, {"name": "comment", "value": "This diagnostic statement protects against Compromise Host Software Binary through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.05"}, {"name": "comment", "value": "This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Compromise Host Software Binary the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}, {"divider": true}, {"name": "control", "value": "EX.DD-04.01"}, {"name": "comment", "value": "This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks."}, {"divider": true}, {"name": "control", "value": "EX.MM-01.01"}, {"name": "comment", "value": "This diagnostic statement provides for the implementation of procedures for management of third party products such as ensuring the authenticity and integrity of software."}]}, {"techniqueID": "T1003.003", "score": 6, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022DE.CM-06.02\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.AA-01.01\n\u2022PR.DS-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against NTDS through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.01"}, {"name": "comment", "value": "This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against OS Credential Dumping: NTDS through the use of revocation of keys and key management. Employing key protection strategies for key material used in protection of domain controller backups, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to obtain credentials from NTDS backups."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via Active Directory domain databases. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via Active Directory domain databases. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against NTDS through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1003.004", "score": 2, "comment": " Related to: \n \u2022DE.CM-06.02\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-06.02"}, {"name": "comment", "value": "This diagnostic statement protects against LSA Secrets through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against LSA Secrets through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1586.003", "score": 1, "comment": " Related to: \n \u2022PR.AA-02.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-02.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Compromise Accounts through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts."}]}, {"techniqueID": "T1565", "score": 9, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.DS-11.01\n\u2022ID.IM-02.06\n\u2022PR.PS-01.05\n\u2022PR.IR-01.01\n\u2022PR.AA-05.01\n\u2022PR.PS-01.06\n\u2022PR.DS-10.01\n\u2022PR.AA-04.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-04.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Data Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify data without being observed."}, {"divider": true}, {"name": "control", "value": "PR.DS-11.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from adversaries that try to manipulate, modify and/or harm the integrity of data. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to data manipulation, consider encrypting important information to reduce an adversary\u2019s ability to perform tailored data modifications."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Data Manipulation through the use of revocation of keys and key management. Employing key protection strategies for key material used for storage and transmission of sensitive information over networks, limitations to specific accounts along with access control mechanisms provides protection against data manipulation by adversaries."}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement highlights the critical importance of implementing remote data storage solutions as a safeguard against potential adversarial attempts to manipulate or conceal data, which could negatively impact business operations and organizational data integrity."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to isolate and secure systems hosting critical business and system processes."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to data manipulation, consider encrypting important information to reduce an adversary\u2019s ability to perform tailored data modifications."}]}, {"techniqueID": "T1087.004", "score": 4, "comment": " Related to: \n \u2022PR.AA-05.01\n\u2022PR.AA-01.01\n\u2022PR.AA-01.02\n\u2022PR.AA-04.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-04.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from Cloud Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1562.001", "score": 2, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022DE.CM-09.02", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.02"}, {"name": "comment", "value": "This diagnostic statement provides protection from Disable or Modify Tools through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Disable or Modify Tools through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1091", "score": 2, "comment": " Related to: \n \u2022PR.PS-01.08\n\u2022DE.CM-09.02", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.02"}, {"name": "comment", "value": "This diagnostic statement provides protection from Replication Through Removable Media through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Replication Through Removable Media through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1600.002", "score": 1, "comment": " Related to: \n \u2022DE.CM-09.02", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.02"}, {"name": "comment", "value": "This diagnostic statement provides protection from Disable Crypto Hardware through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor."}]}, {"techniqueID": "T1195.003", "score": 2, "comment": " Related to: \n \u2022EX.MM-01.01\n\u2022DE.CM-09.02", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-09.02"}, {"name": "comment", "value": "This diagnostic statement provides protection from Compromise Hardware Supply Chain through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor."}, {"divider": true}, {"name": "control", "value": "EX.MM-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products."}]}, {"techniqueID": "T1565.002", "score": 7, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.PS-01.05\n\u2022PR.DS-01.01\n\u2022PR.PS-01.06\n\u2022PR.DS-02.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.DS-02.01"}, {"name": "comment", "value": "This diagnostic statement provides another layer of protection from adversaries trying to gain access to data that is en route to storage or other systems."}, {"divider": true}, {"name": "control", "value": "PR.DS-01.01"}, {"name": "comment", "value": "This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to transmitted data manipulation, encrypt all important data flows to reduce the impact of tailored modifications on data in transit."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Transmitted Data Manipulation through the use of revocation of keys and key management. Employing key protection strategies for key material used in sensitive information transmitted over networks, limitations to specific accounts along with access control mechanisms provides protection against transmitted data manipulation by adversaries."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from manipulating data that is in transit. Encrypting and/or obfuscating data can be used to protect sensitive data from being accessed by adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from manipulating data that is in transit. Encrypting and/or obfuscating data can be used to protect sensitive data from being accessed by adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to transmitted data manipulation, encrypt all important data flows to reduce the impact of tailored modifications on data in transit. "}]}, {"techniqueID": "T1565.001", "score": 9, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022PR.DS-11.01\n\u2022ID.AM-08.03\n\u2022ID.IM-02.06\n\u2022PR.PS-01.05\n\u2022PR.DS-01.01\n\u2022PR.PS-01.06\n\u2022PR.DS-10.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.DS-01.01"}, {"name": "comment", "value": "This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring."}, {"divider": true}, {"name": "control", "value": "PR.DS-11.01"}, {"name": "comment", "value": "This diagnostic statement provides protection from adversaries that try to manipulate and/or modify data at rest, which harms the integrity of data. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups."}, {"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to stored data manipulation, consider encrypting important information to reduce an adversary\u2019s ability to perform tailored data modifications."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Stored Data Manipulation through the use of revocation of keys and key management. Employing key protection strategies for key material used for storage of sensitive information, limitations to specific accounts along with access control mechanisms provides protection against stored data manipulation by adversaries."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from manipulating data at rest. storing data remotely can be used to properly manage data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement highlights the critical importance of implementing remote data storage solutions as a safeguard against potential adversarial attempts to manipulate or conceal stored data (i.e. file formats, databases, stored emails, and custom file formats), which could negatively impact business operations and organizational data integrity."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from manipulating data at rest. storing data remotely can be used to properly manage data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to stored data manipulation, consider encrypting important information to reduce an adversary\u2019s ability to perform tailored data modifications."}]}, {"techniqueID": "T1114.003", "score": 4, "comment": " Related to: \n \u2022PR.AA-03.03\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022ID.AM-08.05", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-03.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as encryption is recommended to minimize the risk of adversaries collecting user's credentials via email forwarding rules to collect credentials and other sensitive information."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Email Forwarding Rule through the use of key management. Employing key protection strategies for key material used in protection of emails, limitations to specific accounts along with access control mechanisms provides protection against adversaries abusing email forwarding rule."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. It also prevents adversaries from abusing email forwarding rules.  There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. It also prevents adversaries from abusing email forwarding rules.  There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}]}, {"techniqueID": "T1114.001", "score": 6, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.PS-01.05\n\u2022PR.AA-03.03\n\u2022PR.PS-01.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-03.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as encryption and using public cryptic keys are recommended to minimize the risk of adversaries collecting information from files saved on email servers and caches."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Local Email Collection through the use of key management. Employing key protection strategies for key material used in protection of emails, limitations to specific accounts along with access control mechanisms provides protection against adversaries abusing local email collection."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from manipulating emails and having the ability to collect sensitive data (PII) from users. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from manipulating emails and having the ability to collect sensitive data (PII) from users. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services."}]}, {"techniqueID": "T1195.002", "score": 5, "comment": " Related to: \n \u2022ID.RA-01.03\n\u2022PR.PS-02.01\n\u2022EX.MM-01.01\n\u2022EX.DD-04.01\n\u2022PR.PS-06.06", "metadata": [{"divider": true}, {"name": "control", "value": "ID.RA-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. Scanning and addressing vulnerabilities in software dependencies and development tools can help reduce the attack surface for the organization and protect against adversaries looking for ways to access its systems."}, {"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-06.06"}, {"name": "comment", "value": "This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools can mitigate Supply Chain Compromise."}, {"divider": true}, {"name": "control", "value": "EX.DD-04.01"}, {"name": "comment", "value": "This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks."}, {"divider": true}, {"name": "control", "value": "EX.MM-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products."}]}, {"techniqueID": "T1070", "score": 6, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.PS-01.05\n\u2022PR.PS-01.06\n\u2022PR.DS-10.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to indicator removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Indicator Removal through the use of key management. Employing key protection strategies for key material used in protection of indicators, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to remove indicators of compromise."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "Storing data remotely can be used to properly manage data so that adversaries won't be able to interfere with processes used to detect intrusion activities. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "Storing data remotely can be used to properly manage data so that adversaries won't be able to interfere with processes used to detect intrusion activities. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to indicator removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary."}]}, {"techniqueID": "T1119", "score": 4, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.DS-10.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.DS-10.01"}, {"name": "comment", "value": "This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Adversary-in-the-middle: ARP Cache Poisoning through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against adversary-in-the-middle"}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from using automated techniques for collecting internal data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from using automated techniques for collecting internal data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}]}, {"techniqueID": "T1578", "score": 4, "comment": " Related to: \n \u2022PR.AA-05.01\n\u2022PR.AA-01.01\n\u2022PR.PS-01.09\n\u2022PR.AA-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Modify Cloud Compute Infrastructure through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1562.012", "score": 2, "comment": " Related to: \n \u2022PR.AA-05.01\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Disable or Modify Linux Audit System through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1613", "score": 6, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.01\n\u2022PR.AA-05.01\n\u2022PR.IR-01.02\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation to deny direct remote access to internal systems externally provides protection against adversaries attempting to discover resources in container environments."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversaries from discovering resources in container environments."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Container and Resource Discovery through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Container and Resource Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Container and Resource Discovery through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1580", "score": 3, "comment": " Related to: \n \u2022PR.AA-05.01\n\u2022PR.AA-01.01\n\u2022PR.AA-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Infrastructure Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1547.009", "score": 3, "comment": " Related to: \n \u2022PR.AA-05.01\n\u2022PR.AA-01.01\n\u2022PR.AA-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Shortcut Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1574.011", "score": 1, "comment": " Related to: \n \u2022PR.AA-05.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence."}]}, {"techniqueID": "T1037.001", "score": 1, "comment": " Related to: \n \u2022PR.AA-05.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence."}]}, {"techniqueID": "T1037", "score": 1, "comment": " Related to: \n \u2022PR.AA-05.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-05.01"}, {"name": "comment", "value": "This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence."}]}, {"techniqueID": "T1498.002", "score": 6, "comment": " Related to: \n \u2022PR.IR-04.02\n\u2022DE.CM-01.02\n\u2022ID.IM-02.06\n\u2022PR.IR-01.03\n\u2022PR.PS-01.04\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-01.02"}, {"name": "comment", "value": "This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that induces a reflection attack by sending packets to reflectors with the spoofed address of the victim. Filtering boundary traffic can be used to intercept incoming traffic and filtering out the attack traffic from the original traffic."}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement focuses on safeguarding IP addresses from potential attacks by adversaries targeting third party servers and causing DoS attacks. Additionally, the integration of third-party services is recommended to support the development of a comprehensive business continuity plan, ensuring an effective response to such incidents."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.02"}, {"name": "comment", "value": "This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.04"}, {"name": "comment", "value": "NTP amplification is a specialized form of distributed denial-of-service (DDoS) reflection amplification attacks that exploits the Network Time Protocol (NTP) to overwhelm victims with high volumes of traffic. This diagnostic statement describes practice guidance to secure and manage time synchronization infrastructure. To mitigate this technique under best practice guidance, consider patching NTP Software to remove dangerous amplifying commands like monlist; enable authentication for NTP changes to mitigate anonymous abuse; filtering of inbound UDP port 123 prevents reception of NTP; limit access to NTP servers to just authorized hots rather than global organizational access to prevent potential wide-spread abuse of DDoS reflection attacks."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Reflection Amplification through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Reflection Amplification through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1498.001", "score": 5, "comment": " Related to: \n \u2022PR.IR-04.02\n\u2022DE.CM-01.02\n\u2022ID.IM-02.06\n\u2022PR.IR-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-01.02"}, {"name": "comment", "value": "This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that target networks that send a high volume of network traffic to a target.  Filtering boundary traffic can be used to intercept incoming traffic and filtering out the attack traffic from the original traffic."}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement focuses on safeguarding IP addresses from potential attacks by adversaries, including Network Denial of Service (DoS) attacks targeting the availability and functionality of networks. Additionally, the integration of third-party services is recommended to support the development of a comprehensive business continuity plan, ensuring an effective response to such incidents."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.02"}, {"name": "comment", "value": "This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic and using ISP or third-party providers, enables blocking IP addresses and protocols used for transport."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Direct Network Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Direct Network Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1498", "score": 6, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022PR.IR-04.02\n\u2022DE.CM-01.02\n\u2022ID.IM-02.06\n\u2022PR.IR-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-01.02"}, {"name": "comment", "value": "This diagnostic statement may block Network Denial of Service (DoS) attacks from occurring by adversaries that target resources to users via websites, email services, DNS, and web-based applications. Filtering boundary traffic can be used to intercept incoming traffic and filtering out the attack traffic from the original traffic."}, {"divider": true}, {"name": "control", "value": "ID.IM-02.06"}, {"name": "comment", "value": "This diagnostic statement focuses on safeguarding IP addresses from potential attacks by adversaries, including Network Denial of Service (DoS) attacks targeting websites, email services, and web-based applications. Additionally, the integration of third-party services is recommended to support the development of a comprehensive business continuity plan, ensuring an effective response to such incidents."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.02"}, {"name": "comment", "value": "This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Network Denial of Service through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Network Denial of Service through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1499.004", "score": 4, "comment": " Related to: \n \u2022PR.IR-04.02\n\u2022DE.CM-01.02\n\u2022PR.IR-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-01.02"}, {"name": "comment", "value": "This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that exploit software vulnerabilities that can cause crashing of a system or application. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.02"}, {"name": "comment", "value": "This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Application or System Exploitation through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Application or System Exploitation through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1499.003", "score": 4, "comment": " Related to: \n \u2022PR.IR-04.02\n\u2022DE.CM-01.02\n\u2022PR.IR-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-01.02"}, {"name": "comment", "value": "This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that target application features. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.02"}, {"name": "comment", "value": "This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to exploit software vulnerabilities that can cause an application or system to crash. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Application Exhaustion Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Application Exhaustion Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1499.002", "score": 4, "comment": " Related to: \n \u2022PR.IR-04.02\n\u2022DE.CM-01.02\n\u2022PR.IR-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-01.02"}, {"name": "comment", "value": "This diagnostic statement may block Endpoint Denial of Service (DoS) attacks from occurring from adversaries that target DNS and web services. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.02"}, {"name": "comment", "value": "This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Service Exhaustion Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Service Exhaustion Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1499.001", "score": 3, "comment": " Related to: \n \u2022DE.CM-01.02\n\u2022PR.IR-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-01.02"}, {"name": "comment", "value": "This diagnostic statement may block Endpoint Denial of Service (DoS) attacks from occurring by adversaries that target endpoint's operating system (OS). Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against OS Exhaustion Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against OS Exhaustion Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1499", "score": 5, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022PR.IR-04.02\n\u2022DE.CM-01.02\n\u2022PR.IR-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-01.02"}, {"name": "comment", "value": "This diagnostic statement may block Endpoint Denial of Service (DoS) attacks from occurring via websites, email services, and web-based applications. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport.  "}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.02"}, {"name": "comment", "value": "This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Endpoint Denial of Service through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Endpoint Denial of Service through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1552.006", "score": 2, "comment": " Related to: \n \u2022PR.PS-02.01\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. An example of this for Group Policy Preferences (GPPs) is to update software by  applying patch KB2962486 which prevents credentials from being stored in group policy preferences."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Group Policy Preferences through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1546.011", "score": 2, "comment": " Related to: \n \u2022PR.PS-02.01\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, to prevent use of application shimming to bypass UAC, Microsoft released patch KB3045645 that will remove the \"auto-elevate\" flag within the sdbinst.exe."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Application Shimming through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1546.010", "score": 1, "comment": " Related to: \n \u2022PR.PS-02.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, upgrading to Windows 8 or later and enabling secure boot can help prevent execution of malicious content via AppInit DLLs."}]}, {"techniqueID": "T1555.003", "score": 4, "comment": " Related to: \n \u2022PR.PS-02.01\n\u2022PR.AA-01.01\n\u2022PR.AA-01.02\n\u2022DE.CM-01.05", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-02.01"}, {"name": "comment", "value": "This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, regularly updating web browsers, password managers, and related software reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement provides for implementing tools and measures for web-based content and browser security settings that can help prevent session cookie theft."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Credentials from Web Browsers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1552.004", "score": 6, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.PS-01.05\n\u2022PR.AA-01.01\n\u2022PR.PS-01.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standard as it applies to the Private Keys technique, when possible, consider storing keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Unsecured Credentials: Private Keys through the use of revocation of keys and key management. Employing key protection strategies for key material such as private keys used in protecting credentials, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise credentials."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via private key certificate files. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via private key certificate files. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Private Keys through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standard as it applies to the Private Keys technique, when possible, consider storing keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material."}]}, {"techniqueID": "T1558.004", "score": 4, "comment": " Related to: \n \u2022PR.PS-01.06\n\u2022PR.PS-01.07\n\u2022PR.AA-01.01\n\u2022PR.PS-01.05", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets through AS-REP Roasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Steal or Forge Kerberos Tickets: AS-REP Roasting through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to perform AS-REP Roasting."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against AS-REP Roasting through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets through AS-REP Roasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible."}]}, {"techniqueID": "T1649", "score": 5, "comment": " Related to: \n \u2022PR.PS-01.07\n\u2022PR.PS-01.05\n\u2022PR.AA-01.01\n\u2022PR.PS-01.06\n\u2022PR.AA-03.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of authentication certificates, ensure certificates as well as associated private keys are appropriately secured."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Steal or Forge Authentication Certificates through the use of revocation of keys and key management. Employing certificate protection strategies such as storing in a Hardware Security Module like a TPM and checking certificate validity for those used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge authentication certificates."}, {"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Steal or Forge Authentication Certificates through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of authentication certificates, ensure certificates as well as associated private keys are appropriately secured. "}]}, {"techniqueID": "T1070.002", "score": 5, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.PS-01.05\n\u2022PR.PS-01.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the removal of Linux or Mac System Logs, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Clear Linux or Mac System Logs through the use of key management. Employing key protection strategies for key material used in protection of event logs, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to clear system logs."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "Utilizing methods that can obfuscate and/or encrypt event files locally and in transit can prevent adversaries from clearing system logs and feeding them to adversaries. Also, storing data remotely can be used to properly manage data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "Utilizing methods that can obfuscate and/or encrypt event files locally and in transit can prevent adversaries from clearing system logs and feeding them to adversaries. Also, storing data remotely can be used to properly manage data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the removal of Linux or Mac System Logs, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary."}]}, {"techniqueID": "T1070.001", "score": 5, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03\n\u2022PR.PS-01.05\n\u2022PR.PS-01.06", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to windows event logs removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Clear Windows Event Logs through the use of key management. Employing key protection strategies for key material used in protection of event logs, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to clear system logs."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement protects data from being easily manipulated by adversaries that try to clear Windows event logs by intruding different activities. Encrypting files locally and in transit shall avoid giving data to an adversary. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement protects data from being easily manipulated by adversaries that try to clear Windows event logs by intruding different activities. Encrypting files locally and in transit shall avoid giving data to an adversary. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to windows event logs removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary."}]}, {"techniqueID": "T1659", "score": 4, "comment": " Related to: \n \u2022PR.PS-01.06\n\u2022PR.PS-01.07\n\u2022DE.CM-01.05\n\u2022PR.PS-01.05", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.06"}, {"name": "comment", "value": "This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Content Injection threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Content Injection through the use of revocation of keys and key management. Employing key protection strategies for key material used in virtual private networks, identity management, and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against content injection."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement provides for implementing tools and measures such as blocking download/transfer and execution of uncommon file types which can help prevent content injection."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.05"}, {"name": "comment", "value": "This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Content Injection threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS."}]}, {"techniqueID": "T1590.002", "score": 1, "comment": " Related to: \n \u2022PR.PS-01.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.03"}, {"name": "comment", "value": "This diagnostic statement provides protection from Gather Victim Information: DNS through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration including secure policies for DNS servers including Zone Transfer Policies and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations."}]}, {"techniqueID": "T1566.004", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.03"}, {"name": "comment", "value": "Anti-virus can also automatically quarantine suspicious files sent through messages via services, social media , personal webmail, etc."}]}, {"techniqueID": "T1055.011", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1548.004", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1059.007", "score": 2, "comment": " Related to: \n \u2022DE.CM-01.05\n\u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from abusing various implementation of JavaScript for execution by blocking the execution of scripts and malicious code that pop up via adblockers and ads."}]}, {"techniqueID": "T1218.001", "score": 2, "comment": " Related to: \n \u2022DE.CM-01.05\n\u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement can help prevent adversaries from abusing HTML files by implementing tools and measures to block download/transfer of uncommon file types known to be used in adversary campaigns."}]}, {"techniqueID": "T1218.002", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1218.003", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1218.004", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1218.005", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1218.008", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1218.009", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1218.012", "score": 4, "comment": " Related to: \n \u2022PR.IR-01.02\n\u2022PR.PS-05.02\n\u2022PR.IR-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic can help to mitigate this technique."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Verclsid through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Verclsid through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1218.013", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1218.014", "score": 1, "comment": " Related to: \n \u2022PR.PS-05.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-05.02"}, {"name": "comment", "value": "Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."}]}, {"techniqueID": "T1558.005", "score": 3, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022PR.PS-01.07\n\u2022ID.AM-08.03", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.07"}, {"name": "comment", "value": "This diagnostic statement protects against Steal or Forge Kerberos Tickets: Ccache Files through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge kerberos tickets."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and abusing Kerberos by stealing tickets in credential cache files. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and abusing Kerberos by stealing tickets in credential cache files. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}]}, {"techniqueID": "T1129", "score": 1, "comment": " Related to: \n \u2022PR.PS-01.09", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring."}]}, {"techniqueID": "T1552.001", "score": 2, "comment": " Related to: \n \u2022PR.PS-01.09\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may search host shared directories/filed between a VM and host device to find files of interest, specifically credentials in files. Hypervisor hardening can restrict or limit the ability to access files containing insecurely stored credentials between the virtualized machine and host system, making it harder for attackers to collect data from host shared files."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Credentials In Files through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1039", "score": 1, "comment": " Related to: \n \u2022PR.PS-01.09", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may search host shared directories between a VM and host device to find files of interest. Hypervisor hardening can restrict or limit the ability to share files between the virtualized machine and host system, making it harder for attackers to collect data from host shared directories."}]}, {"techniqueID": "T1528", "score": 2, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022DE.CM-01.05", "metadata": [{"divider": true}, {"name": "control", "value": "DE.CM-01.05"}, {"name": "comment", "value": "This diagnostic statement provides for implementing tools and measures such as disabling users from authorizing third-party apps and forcing administrative consent for all requests that can help prevent token theft."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Steal Application Access Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1070.008", "score": 2, "comment": " Related to: \n \u2022ID.AM-08.05\n\u2022ID.AM-08.03", "metadata": [{"divider": true}, {"name": "control", "value": "ID.AM-08.03"}, {"name": "comment", "value": "Storing data remotely can be used to properly manage data so that adversaries won't be able to modify mail and mail application data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}, {"divider": true}, {"name": "control", "value": "ID.AM-08.05"}, {"name": "comment", "value": "Storing data remotely can be used to properly manage data so that adversaries won't be able to modify mail and mail application data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques."}]}, {"techniqueID": "T1578.005", "score": 3, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.PS-01.09\n\u2022PR.AA-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Modify Cloud Compute Configurations through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1657", "score": 2, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.AA-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Financial Theft through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1619", "score": 2, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.AA-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Storage Object Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1538", "score": 2, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.AA-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Service Dashboard through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1547.012", "score": 2, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.AA-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Print Processors through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1547.004", "score": 2, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.AA-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Winlogon Helper DLL through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1548.005", "score": 2, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.AA-01.02", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.02"}, {"name": "comment", "value": "This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Temporary Elevated Cloud Access through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1187", "score": 5, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.IR-01.03\n\u2022PR.IR-01.02\n\u2022PR.AA-03.01\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-03.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversaries from obtaining credentials through forced authentication."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Forced Authentication through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Forced Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Forced Authentication through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1489", "score": 2, "comment": " Related to: \n \u2022PR.AA-01.01\n\u2022PR.IR-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing defense-in-depth and access isolation provides protection against adversaries attempting to stop services."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Service Stop through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1046", "score": 5, "comment": " Related to: \n \u2022PR.IR-01.04\n\u2022PR.IR-04.01\n\u2022PR.IR-01.06\n\u2022PR.IR-01.03\n\u2022PR.IR-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing proper network segmentation can protect critical servers and devices from discovery and potential exploitation."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Network Service Discovery through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.04"}, {"name": "comment", "value": "This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}]}, {"techniqueID": "T1482", "score": 1, "comment": " Related to: \n \u2022PR.IR-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation for sensitive domains can help prevent adversary exploitation of domain trust relationships."}]}, {"techniqueID": "T1565.003", "score": 1, "comment": " Related to: \n \u2022PR.IR-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to isolate and secure systems hosting critical business and system processes."}]}, {"techniqueID": "T1552.005", "score": 6, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022PR.IR-01.06\n\u2022PR.IR-01.03\n\u2022PR.IR-01.01\n\u2022PR.IR-01.02\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.01"}, {"name": "comment", "value": "This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network filtering, defense-in-depth, and access isolation principles provides protection against adversaries attempting to obtain credentials and other sensitive data."}, {"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.02"}, {"name": "comment", "value": "This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions that limit network access and communications with services can prevent adversaries from finding stored credentials."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Instance Metadata API through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.06"}, {"name": "comment", "value": "This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Cloud Instance Metadata API through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1090.003", "score": 3, "comment": " Related to: \n \u2022PR.IR-04.01\n\u2022PR.IR-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-04.01"}, {"name": "comment", "value": "This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques."}, {"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Multi-hop Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Multi-hop Proxy through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1070.006", "score": 1, "comment": " Related to: \n \u2022PR.PS-01.04", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.04"}, {"name": "comment", "value": "The ATT&CK technique T1070.006 involves adversaries modifying file timestamps to evade detection or forensic analysis. The diagnostic statement describes maintaining and securing accurate and synchronized time values across systems. Organizations can mitigate this technique through the use of secure and authenticated time synchronization protocols (e.g., NTP with authentication) to prevent adversaries from tampering with time values of files and artifacts."}]}, {"techniqueID": "T1497.003", "score": 1, "comment": " Related to: \n \u2022PR.PS-01.04", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.04"}, {"name": "comment", "value": "The diagnostic statement focuses on the importance of maintaining and securing the accurate and synchronized time values across systems. The ATT&CK technique T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion involves adversaries using time-based evasion methods to detect or bypass virtualization or sandbox environments. Organizations can mitigate these methods by ensuring time integrity, accurate time synchronization, and hardening time services across virtualized and sandbox environments."}]}, {"techniqueID": "T1547.003", "score": 1, "comment": " Related to: \n \u2022PR.PS-01.04", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.04"}, {"name": "comment", "value": "The diagnostic statement focuses on the importance of maintaining accurate and resilient time synchronization across systems. By ensuring that time services are designed with security and reliability in mind, organizations reduce the risk of adversaries tampering with time provider components or disrupting time synchronization processes described in the Boot or Logon Autostart Execution: Time Providers technique."}]}, {"techniqueID": "T1578.004", "score": 1, "comment": " Related to: \n \u2022PR.PS-01.09", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components."}]}, {"techniqueID": "T1578.003", "score": 2, "comment": " Related to: \n \u2022PR.PS-01.09\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Delete Cloud Instance through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1578.002", "score": 2, "comment": " Related to: \n \u2022PR.PS-01.09\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Create Cloud Instance through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1578.001", "score": 2, "comment": " Related to: \n \u2022PR.PS-01.09\n\u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components."}, {"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Create Snapshot through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1564.006", "score": 1, "comment": " Related to: \n \u2022PR.PS-01.09", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may carry out malicious operations using a virtual instance to avoid detection. After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system. To aid in mitigating this technique, consider using application control mechanisms to mitigate installation and use of unapproved virtualization software, shared folders not necessary within a given environment, and periodically audit virtual machines for abnormalities."}]}, {"techniqueID": "T1027.006", "score": 1, "comment": " Related to: \n \u2022PR.PS-01.09", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-01.09"}, {"name": "comment", "value": "The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes this technique, browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist."}]}, {"techniqueID": "T1205", "score": 2, "comment": " Related to: \n \u2022PR.IR-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Traffic Signaling through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Traffic Signaling through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1205.001", "score": 2, "comment": " Related to: \n \u2022PR.IR-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Port Knocking through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Port Knocking through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1205.002", "score": 2, "comment": " Related to: \n \u2022PR.IR-01.03\n\u2022PR.PS-01.08", "metadata": [{"divider": true}, {"name": "control", "value": "PR.IR-01.03"}, {"name": "comment", "value": "This diagnostic statement protects against Socket Filters through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation."}, {"divider": true}, {"name": "control", "value": "PR.PS-01.08"}, {"name": "comment", "value": "This diagnostic statement protects against Socket Filters through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware."}]}, {"techniqueID": "T1036.010", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Masquerade Account Name through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1053.003", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Cron through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1134.005", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against SID-History Injection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1185", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Browser Session Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1201", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Password Policy Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1505.003", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Web Shell through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1555.001", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Keychain through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1556.009", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Conditional Access Policies through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1562.002", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Disable Windows Event Logging through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1562.004", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Disable or Modify System Firewall through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1562.007", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Disable or Modify Cloud Firewall through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1562.008", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Disable or Modify Cloud Logs through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1569.001", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Launchctl through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1574.005", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Executable Installer File Permissions Weakness through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1574.010", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Services File Permissions Weakness through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1654", "score": 1, "comment": " Related to: \n \u2022PR.AA-01.01", "metadata": [{"divider": true}, {"name": "control", "value": "PR.AA-01.01"}, {"name": "comment", "value": "This diagnostic statement protects against Log Enumeration through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts."}]}, {"techniqueID": "T1496", "score": 1, "comment": " Related to: \n \u2022PR.PS-06.07", "metadata": [{"divider": true}, {"name": "control", "value": "PR.PS-06.07"}, {"name": "comment", "value": "This diagnostic statement protects against Resource Hijacking through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles."}]}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 19}}