{"metadata": {"mapping_version": "", "technology_domain": "enterprise", "attack_version": "16.1", "mapping_framework": "gcp", "mapping_framework_version": "03/06/2025", "author": null, "contact": null, "organization": null, "creation_date": "03/06/2025", "last_update": "03/06/2025", "mapping_types": {"technique_scores": {"name": "technique_scores", "description": ""}}, "capability_groups": {"access_transparency": "Access Transparency", "advanced_protection_program": "Advanced Protection Program", "artifact_analysis": "Artifact Analysis", "assured_oss": "Assured Open Source Software", "assured_workloads": "Assured Workloads", "backup_and_dr_actifiogo": "Backup and DR-Actifio GO", "binary_authorization": "Binary Authorization", "certificate_authority_service": "Certificate Authority Service", "chrome_enterprise_premium": "Chrome Enterprise Premium", "cloud_armor": "Cloud Armor", "cloud_asset_inventory": "Cloud Asset Inventory", "cloud_cdn": "Cloud CDN", "cloud_endpoints": "Cloud Endpoints", "cloud_hsm": "Cloud Hardware Security Module (HSM)", "cloud_identity": "Cloud Identity", "cloud_ids": "Cloud IDS", "cloud_key_management": "Cloud Key Management", "cloud_logging": "Cloud Logging", "cloud_nat": "Cloud NAT", "cloud_ngfw": "Cloud Next-Generation Firewall (NGFW)_", "cloud_storage": "Cloud Storage", "cloud_vpn": "Cloud VPN", "confidential_vm": "Confidential VM", "config_connector": "Config Connector", "data_catalog": "Data Catalog", "deployment_manager": "Deployment Manager", "gke_enterprise": "GKE Enterprise", "google_kubernetes_engine": "Google Kubernetes Engine", "google_secops": "Google Security Operations", "google_threat_intel": "Google Threat Intelligence", "hybrid_connectivity": "Hybrid Connectivity", "identity_and_access_management": "Identity and Access Management", "identity_aware_proxy": "Identity Aware Proxy", "identity_platform": "Identity Platform", "managed_microsoft_ad": "Managed Service for Microsoft Active Directory", "mandiant_academy": "Mandiant Academy", "mandiant_asm": "Mandiant Attack Surface Management (ASM)", "mandiant_cyber_consult": "Mandiant Cybersecurity Consulting", "mandiant_digital_threatmon": "Mandiant Digital Threat Monitoring", "mandiant_ir_services": "Mandiant Incident Response Services", "mandiant_managed_defense": "Mandiant Managed Defense", "mandiant_security_validation": "Mandiant Security Validation", "packet_mirroring": "Packet Mirroring", "policy_intelligence": "Policy Intelligence", "recaptcha_enterprise": "ReCAPTCHA Enterprise", "resource_manager": "Resource Manager", "secret_manager": "Secret Manager", "security_command_center": "Security Command Center", "sensitive_data_protection": "Sensitive Data Protection ", "shielded_vm": "Shielded VM", "siemplify": "Siemplify", "sw_supply_chain_security": "Software Supply Chain Security", "terraform_on_google_cloud": "Terraform on Google Cloud", "titan_security_key": "Titan Security Key", "virus_total": "Virus Total", "vm_manager": "VM Manager", "vpc_service_controls": "VPC Service Controls", "web_risk": "Web Risk"}}, "mapping_objects": [{"capability_id": "artifact_analysis", "capability_description": "Artifact Analysis", "mapping_type": "technique_scores", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "artifact_analysis", "score_category": "protect", "score_value": "partial", "comments": "Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known Linux OS package vulnerabilities in various containers (e.g., Debian, Ubuntu, Alpine, RHEL, CentOS).", "references": ["https://cloud.google.com/artifact-analysis/docs/artifact-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview", "https://cloud.google.com/container-registry/docs/container-analysis"]}, {"capability_id": "artifact_analysis", "capability_description": "Artifact Analysis", "mapping_type": "technique_scores", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "artifact_analysis", "score_category": "protect", "score_value": "partial", "comments": "Artifact Analysis scans container images uploaded to Artifact Registry or Container Registry (deprecated) for known software vulnerabilities and various system artifacts that could potentially be used to execute adversary-controlled code. Due to the medium threat protection coverage and temporal factor, this control was scored as partial.", "references": ["https://cloud.google.com/artifact-analysis/docs/artifact-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview", "https://cloud.google.com/container-registry/docs/container-analysis"]}, {"capability_id": "artifact_analysis", "capability_description": "Artifact Analysis", "mapping_type": "technique_scores", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "artifact_analysis", "score_category": "protect", "score_value": "partial", "comments": "Artifact Analysis scans container images uploaded to Artifact Registry or Container Registry (deprecated) for vulnerabilities that could potentially be used to escalate privileges, such as default accounts with root permissions in Docker containers. Due to the medium threat protection coverage and scan results being available 48 hours after completion, this control was scored as partial.", "references": ["https://cloud.google.com/artifact-analysis/docs/artifact-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview", "https://cloud.google.com/container-registry/docs/container-analysis"]}, {"capability_id": "artifact_analysis", "capability_description": "Artifact Analysis", "mapping_type": "technique_scores", "attack_object_id": "T1212", "attack_object_name": "Exploitation for Credential Access", "capability_group": "artifact_analysis", "score_category": "detect", "score_value": "partial", "comments": "Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in various OS packages that could be used to escalate privileges and execute adversary-controlled code (e.g., Debian, Ubuntu, Alpine, RHEL, CentOS, National Vulnerability Database). Due to the medium threat detection coverage and temporal factor, the control was scored as partial.", "references": ["https://cloud.google.com/artifact-analysis/docs/artifact-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview", "https://cloud.google.com/container-registry/docs/container-analysis"]}, {"capability_id": "artifact_analysis", "capability_description": "Artifact Analysis", "mapping_type": "technique_scores", "attack_object_id": "T1525", "attack_object_name": "Implant Internal Image", "capability_group": "artifact_analysis", "score_category": "protect", "score_value": "partial", "comments": "Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, this security solution can detect known vulnerabilities in Docker containers. This information can be used to detect images that deviate from the baseline norm, and could indicate a malicious implanted images in the environment. Due to the medium threat detection coverage and temporal factor, the control was scored as partial.", "references": ["https://cloud.google.com/artifact-analysis/docs/artifact-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview", "https://cloud.google.com/container-registry/docs/container-analysis"]}, {"capability_id": "artifact_analysis", "capability_description": "Artifact Analysis", "mapping_type": "technique_scores", "attack_object_id": "T1610", "attack_object_name": "Deploy Container", "capability_group": "artifact_analysis", "score_category": "protect", "score_value": "partial", "comments": "Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can scan for known vulnerabilities in containers. This information can be used to detect malicious deployed containers used to evade defenses and execute processes in a target environment. Due to the medium threat detection coverage and temporal factor, the control was scored as partial.", "references": ["https://cloud.google.com/artifact-analysis/docs/artifact-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview", "https://cloud.google.com/container-registry/docs/container-analysis"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1008", "attack_object_name": "Fallback Channels", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block communication with known fallback channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known fallback channels and not channels yet to be identified.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1016.001", "attack_object_name": "Internet Connection Discovery", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1016", "comments": "Google Security Ops is able to trigger an alert based off processes and command-line arguments that may indicate adversary reconnaissance and information discovery techniques for network configuration settings (e.g., \"net config\", \"ipconfig.exe\", \"nbtstat.exe).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1016.002", "attack_object_name": "Wi-Fi Discovery", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1016", "comments": "Google Security Ops is able to trigger an alert based off processes and command-line arguments that may indicate adversary reconnaissance and information discovery techniques for network configuration settings (e.g., \"net config\", \"ipconfig.exe\", \"nbtstat.exe).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "mandiant_asm", "capability_description": "Mandiant Attack Surface Management (ASM)", "mapping_type": "technique_scores", "attack_object_id": "T1021", "attack_object_name": "Remote Services", "capability_group": "mandiant_asm", "score_category": "detect", "score_value": "significant", "comments": "Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.", "references": ["https://cloud.google.com/security/products/attack-surface-management"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1021.007", "attack_object_name": "Cloud Services", "capability_group": "cloud_identity", "score_category": "detect", "score_value": "minimal", "related_score": "T1021", "comments": "This control can be used to detect adversaries that may be trying to log into cloud services.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1021.008", "attack_object_name": "Direct Cloud VM Connections", "capability_group": "cloud_identity", "score_category": "detect", "score_value": "minimal", "related_score": "T1021", "comments": "This control can be used to detect adversaries that may try to use Valid Accounts to log into remote machines using cloud native methods such as Secure Shell (SSH).", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1021.008", "attack_object_name": "Direct Cloud VM Connections", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1021", "comments": "Google Security Operations is able to detect an alert based on system events, such as remote connections.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1027.007", "attack_object_name": "Dynamic API Resolution", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1027", "comments": "Google Security Operations can can be configured to detect calls to functions like GetProcAddress() and LoadLibrary().", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1027.009", "attack_object_name": "Embedded Payloads", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "partial", "related_score": "T1027", "comments": "Google Cloud IDS can detect network-based threats like malicious software.\n", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1027.010", "attack_object_name": "Command Obfuscation", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1027", "comments": "Google Security Operations can can be configured to detect suspicious syntax or characters in commands.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1027.011", "attack_object_name": "Fileless Storage", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1027", "comments": "Google Security Operations is able to trigger an alert based on creation or changes of registry keys and run keys found on Windows platforms.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1027.012", "attack_object_name": "LNK Icon Smuggling", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "partial", "related_score": "T1027", "comments": "Google Cloud IDS can detect network-based threats like malicious software.\n", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1027.013", "attack_object_name": "Encrypted/Encoded File", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "minimal", "related_score": "T1027", "comments": "Google Cloud IDS can detect network-based threats like malicious software.\n", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1027.014", "attack_object_name": "Polymorphic Code", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "minimal", "related_score": "T1027", "comments": "Google Cloud IDS can detect network-based threats like malicious software.\n", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1036.008", "attack_object_name": "Masquerade File Type", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "minimal", "related_score": "T1036", "comments": "Google Cloud IDS can detect network-based threats like malicious software.\n", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1036.008", "attack_object_name": "Masquerade File Type", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1036", "comments": "Google Security Operations is able to trigger an alert based on abnormal command execution from otherwise non-executable file types (such as .txt and .jpg).", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1036.009", "attack_object_name": "Break Process Trees", "capability_group": "google_secops", "score_category": "detect", "score_value": "partial", "related_score": "T1036", "comments": "Google Security Operations is able to trigger an alert based on abnormal API calls such as fork().", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1055.015", "attack_object_name": "ListPlanting", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1055", "comments": "Google Security Operations is able to trigger an alert based on abnormal API calls.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1059.009", "attack_object_name": "Cloud API", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1059", "comments": "Google Security Ops is able to trigger an alert  based on system events of interest, for example: suspicious Entra ID login access and usage.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1059.010", "attack_object_name": "AutoHotKey & AutoIT", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1059", "comments": "Google Security Operations is able to trigger an alert based on suspicious behavior seen in the Windows command line.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1059.011", "attack_object_name": "Lua", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1059", "comments": "Google Security Operations is able to trigger an alert based on suspicious behavior seen in the Windows command line.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1070.007", "attack_object_name": "Clear Network Connection History and Configurations", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1070", "comments": "Google Security Operations is able to trigger an alert when indicators are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1070.008", "attack_object_name": "Clear Mailbox Data", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1070", "comments": "Google Security Operations is able to trigger an alert when indicators are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1070.009", "attack_object_name": "Clear Persistence", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1070", "comments": "Google Security Operations is able to trigger an alert when indicators are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1070.010", "attack_object_name": "Relocate Malware", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1070", "comments": "Google Security Operations is able to trigger an alert when indicators are cleared from the infrastructure. This technique was scored as minimal based on low or uncertain detection coverage factor.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1071.005", "attack_object_name": "Publish/Subscribe Protocols", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "significant", "related_score": "T1071", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. Given this supports all sub-techniques, the mapping is given a score of Significant.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "mandiant_digital_threatmon", "capability_description": "Mandiant Digital Threat Monitoring", "mapping_type": "technique_scores", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "mandiant_digital_threatmon", "score_category": "protect", "score_value": "minimal", "comments": "Mandiant Digital Threat Monitoring continually monitors for compromised credentials and data leaks on both the open and dark web. This control may protect against credential abuse by alerting on leaked credentials. Since this control must depend on accessible sources for dumps, it does not protect against credentials that have been collected for a campaign but never posted, so the score is partial.", "references": ["https://cloud.google.com/security/products/digital-threat-monitoring"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1098.005", "attack_object_name": "Device Registration", "capability_group": "google_secops", "score_category": "detect", "score_value": "significant", "related_score": "T1098", "comments": "Google Security Operations is able to trigger an alert based on changes account device registrations.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1098.006", "attack_object_name": "Additional Container Cluster Roles", "capability_group": "security_command_center", "score_category": "protect", "score_value": "significant", "related_score": "T1098", "comments": "SCC ingests Cloud Audit logs to detect when permissions are changed in a privileged group (i.e., modify group to public) with sensitive permissions or roles. This security solution protects against compromised cloud accounts used to maintain persistence. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://cloud.google.com/security-command-center/docs/reference/rest/v2/organizations.sources.findings"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1127.002", "attack_object_name": "ClickOnce", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1127", "comments": "Google Security Operations triggers an alert based on common command line arguments for DFSVC.EXE which is used by adversaries to execute code through ClickOnce applications.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/mixed_other/security/possible_msbuild_abuse__via_cmdline.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "mandiant_asm", "capability_description": "Mandiant Attack Surface Management (ASM)", "mapping_type": "technique_scores", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "mandiant_asm", "score_category": "detect", "score_value": "significant", "comments": "Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.", "references": ["https://cloud.google.com/security/products/attack-surface-management"]}, {"capability_id": "mandiant_asm", "capability_description": "Mandiant Attack Surface Management (ASM)", "mapping_type": "technique_scores", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "mandiant_asm", "score_category": "detect", "score_value": "partial", "comments": "Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.", "references": ["https://cloud.google.com/security/products/attack-surface-management"]}, {"capability_id": "assured_oss", "capability_description": "Assured Open Source Software", "mapping_type": "technique_scores", "attack_object_id": "T1195", "attack_object_name": "Supply Chain Compromise", "capability_group": "assured_oss", "score_category": "protect", "score_value": "partial", "comments": "Assured OSS provides Google OSS packages built with security features to help improve the security of a software supply chain, including vulnerability testing, signed provenance, and secured distribution. ", "references": ["https://cloud.google.com/security/products/assured-open-source-software"]}, {"capability_id": "mandiant_digital_threatmon", "capability_description": "Mandiant Digital Threat Monitoring", "mapping_type": "technique_scores", "attack_object_id": "T1195", "attack_object_name": "Supply Chain Compromise", "capability_group": "mandiant_digital_threatmon", "score_category": "detect", "score_value": "partial", "comments": "Mandiant Digital Threat Monitoring continually monitors for compromised credentials and data leaks on both the open and dark web. This control may protect against credential abuse by alerting on leaked credentials. Since this control must depend on accessible sources for dumps, it does not protect against credentials that have been collected for a campaign but never posted, so the score is partial.", "references": ["https://cloud.google.com/security/products/digital-threat-monitoring"]}, {"capability_id": "assured_oss", "capability_description": "Assured Open Source Software", "mapping_type": "technique_scores", "attack_object_id": "T1195.001", "attack_object_name": "Compromise Software Dependencies and Development Tools", "capability_group": "assured_oss", "score_category": "protect", "score_value": "partial", "related_score": "T1195", "comments": "Assured OSS provides Google OSS packages built with security features to help improve the security of a software supply chain, including vulnerability testing, signed provenance, and secured distribution. ", "references": ["https://cloud.google.com/security/products/assured-open-source-software"]}, {"capability_id": "assured_oss", "capability_description": "Assured Open Source Software", "mapping_type": "technique_scores", "attack_object_id": "T1195.002", "attack_object_name": "Compromise Software Supply Chain", "capability_group": "assured_oss", "score_category": "protect", "score_value": "partial", "related_score": "T1195", "comments": "Assured OSS provides Google OSS packages built with security features to help improve the security of a software supply chain, including vulnerability testing, signed provenance, and secured distribution. ", "references": ["https://cloud.google.com/security/products/assured-open-source-software"]}, {"capability_id": "mandiant_digital_threatmon", "capability_description": "Mandiant Digital Threat Monitoring", "mapping_type": "technique_scores", "attack_object_id": "T1199", "attack_object_name": "Trusted Relationship", "capability_group": "mandiant_digital_threatmon", "score_category": "detect", "score_value": "partial", "comments": "Mandiant Digital Threat Monitoring continually monitors for compromised credentials and data leaks on both the open and dark web. This control may protect against credential abuse by alerting on leaked credentials. Since this control must depend on accessible sources for dumps, it does not protect against credentials that have been collected for a campaign but never posted, so the score is partial.", "references": ["https://cloud.google.com/security/products/digital-threat-monitoring"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1205.002", "attack_object_name": "Socket Filters", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "related_score": "T1205", "comments": "Cloud NGFW can filter traffic and detect these socket filters before they get attached. However, if the threat is past the firewall, those measures are unable to stop the filters, leading to the score of partial.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "confidential_vm", "capability_description": "Confidential VM", "mapping_type": "technique_scores", "attack_object_id": "T1212", "attack_object_name": "Exploitation for Credential Access", "capability_group": "confidential_vm", "score_category": "protect", "score_value": "minimal", "comments": "Confidential VM main memory encryption is performed using dedicated hardware within the memory controllers. Confidential VM generates encryption keys in dedicated hardware which is inaccessible to the hypervisor, protecting against Exploitation for Credential Access from outside the VM.", "references": ["https://cloud.google.com/compute/confidential-vm/docs/about-cvm#security_and_privacy_features"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1213.004", "attack_object_name": "Customer Relationship Management Software", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "partial", "related_score": "T1213", "comments": "The access controls in Cloud Identity, such as MFA, can help to prevent an adversary from accessing internal software such as CRM tools, protecting customer data. However, if the adversary is able to access the system, Cloud Identity is not able to protect this data, leading to a score of partial.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1213.005", "attack_object_name": "Messaging Applications", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "partial", "related_score": "T1213", "comments": "The access controls in Cloud Identity, such as MFA, can help to prevent an adversary from accessing internal software such as messaging tools, protecting customer data. However, if the adversary is able to access the system, Cloud Identity is not able to protect this data, leading to a score of partial.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1216.002", "attack_object_name": "SyncAppvPublishingServer", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "partial", "related_score": "T1216", "comments": "The access controls in Cloud Identity, such as MFA, can help to prevent an adversary from accessing internal software such as SyncAppvPublishingServer, protecting customer data. However, if the adversary is able to access the system, Cloud Identity is not able to protect this data, leading to a score of partial.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1218.015", "attack_object_name": "Electron Applications", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1218", "comments": "Google Security Ops is able to trigger an alert based on suspicious behavior in Windows with the use of regsvr32.exe and a possible fileless attack via this executable.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/ole_controls_registered_via_regsvr32_exe__sysmon_behavior.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/fileless_attack_via_regsvr32_exe.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1480.002", "attack_object_name": "Mutual Exclusion", "capability_group": "google_secops", "score_category": "detect", "score_value": "partial", "related_score": "T1480", "comments": "Google Security Operations can detect the creation of new processes, potentially revealing the existence of a mutex. This is rated as partial due to potential guardrails against detection impacting the reliability of the tool.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "backup_and_dr_actifiogo", "capability_description": "Backup and DR-Actifio GO", "mapping_type": "technique_scores", "attack_object_id": "T1485.001", "attack_object_name": "Lifecycle-Triggered Deletion", "capability_group": "backup_and_dr_actifiogo", "score_category": "respond", "score_value": "significant", "related_score": "T1485", "comments": "Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to a Data Destruction event since an organization could easily restore lost data back to the latest backup.", "references": ["https://cloud.google.com/backup-disaster-recovery/docs/configuration/cbb", "https://cloud.google.com/backup-disaster-recovery"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1496.001", "attack_object_name": "Compute Hijacking", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1496", "comments": "SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1496.002", "attack_object_name": "Bandwidth Hijacking", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1496", "comments": "SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1496.003", "attack_object_name": "SMS Pumping", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1496", "comments": "SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1496.004", "attack_object_name": "Cloud Service Hijacking", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1496", "comments": "SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1505.005", "attack_object_name": "Terminal Services DLL", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1505", "comments": "Google Security Operations is able to trigger alerts based off command execution (e.g. reg.exe or termsrv.dll). ", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "sensitive_data_protection", "capability_description": "Sensitive Data Protection ", "mapping_type": "technique_scores", "attack_object_id": "T1565.002", "attack_object_name": "Transmitted Data Manipulation", "capability_group": "sensitive_data_protection", "score_category": "protect", "score_value": "partial", "related_score": "T1565", "comments": "This control is able to scan cloud storage objects for sensitive data and transform that data into a secure or nonsensitive form. It is able to scan for a variety of common sensitive data types, such as API keys, credentials, or credit card numbers. The de-identified service lets you obfuscate instances of sensitive data before they can be transmitted for sharing. ", "references": ["https://cloud.google.com/sensitive-data-protection/docs/concepts-deidentify-storage"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1543.005", "attack_object_name": "Container Service", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1543", "comments": "Google Security Operations is able to trigger alerts based off executed commands like docker run or podman run.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1546.016", "attack_object_name": "Installer Packages", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1546", "comments": "Google Security Operations is able to trigger alerts based on executed commands and arguments that may be related to abuse of installer packages.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1546.017", "attack_object_name": "Udev Rules", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1546", "comments": "Google Security Operations is able to trigger alerts based on executed commands that create or modify files where the udev rules are located.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1548.005", "attack_object_name": "Temporary Elevated Cloud Access", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1548", "comments": "Google Security Ops is able to trigger an alert based on when excessive permissions are assigned to an Entra ID application or privileged roles are assigned to user accounts.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1564_001_macos_hidden_files_and_directories.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1548.006", "attack_object_name": "TCC Manipulation", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1548", "comments": "Google Security Operations can alert based on processes like AuthorizationExecuteWithPrivileges.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "confidential_vm", "capability_description": "Confidential VM", "mapping_type": "technique_scores", "attack_object_id": "T1552.007", "attack_object_name": "Container API", "capability_group": "confidential_vm", "score_category": "protect", "score_value": "partial", "related_score": "T1552", "comments": "Confidential VM main memory encryption is performed using dedicated hardware within the memory controllers. Confidential VM can be used with Google Kubernetes Engine Nodes to encrypt data in-use for these workloads.", "references": ["https://cloud.google.com/compute/confidential-vm/docs/about-cvm#security_and_privacy_features"]}, {"capability_id": "cloud_hsm", "capability_description": "Cloud Hardware Security Module (HSM)", "mapping_type": "technique_scores", "attack_object_id": "T1552.008", "attack_object_name": "Chat Messages", "capability_group": "cloud_hsm", "score_category": "protect", "score_value": "partial", "related_score": "T1552", "comments": "Google Cloud's HSM may protect against adversary's attempts to leverage passwords and unsecure credentials found in files on compromised systems.Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.", "references": ["https://cloud.google.com/kms/docs/hsm"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1555.006", "attack_object_name": "Cloud Secrets Management Stores", "capability_group": "google_secops", "score_category": "protect", "score_value": "partial", "related_score": "T1555", "comments": "Google Security Operations can prevent those with insufficient privileges from accessing the secrets manager, as well as detect modifications to user privileges that may allow them access. This was ranked as partial as it cannot prevent a compromised account with those permissions from accessing the secrets manager.", "references": ["https://cloud.google.com/secret-manager/docs/overview"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1556.001", "attack_object_name": "Domain Controller Authentication", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "related_score": "T1556", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.\n", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1556.003", "attack_object_name": "Pluggable Authentication Modules", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "related_score": "T1556", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.\n", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1556.004", "attack_object_name": "Network Device Authentication", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "related_score": "T1556", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.\n", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1556.005", "attack_object_name": "Reversible Encryption", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "related_score": "T1556", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Even in the event of compromised credentials, the lack of a security key would prevent an adversary from accessing the account. This leads to significant protection against the technique.", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1556.006", "attack_object_name": "Multi-Factor Authentication", "capability_group": "google_secops", "score_category": "detect", "score_value": "partial", "related_score": "T1556", "comments": "The audit capabilities within Google Security Operations Center may be able to detect if Multi-Factor Authentication was disabled, allowing that change to be reverted. This was scored as partial because there is still a window of time in which an adversary can make use of the disabled MFA.", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1556.007", "attack_object_name": "Hybrid Identity", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "related_score": "T1556", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Even in the event of compromised credentials, the lack of a security key would prevent an adversary from accessing the account. This leads to significant protection against the technique.", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1556.008", "attack_object_name": "Network Provider DLL", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "related_score": "T1556", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Even in the event of compromised credentials, the lack of a security key would prevent an adversary from accessing the account. This leads to significant protection against the technique.", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1556.009", "attack_object_name": "Conditional Access Policies", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "related_score": "T1556", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Even in the event of compromised credentials, the lack of a security key would prevent an adversary from accessing the account. This leads to significant protection against the technique.", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "certificate_authority_service", "capability_description": "Certificate Authority Service", "mapping_type": "technique_scores", "attack_object_id": "T1557", "attack_object_name": "Adversary-in-the-Middle", "capability_group": "certificate_authority_service", "score_category": "protect", "score_value": "significant", "comments": "This control may mitigate against Adversary-in-the-Middle by providing certificates for internal endpoints and applications to use with asymmetric encryption. This control may also provide authentication for user identity for VPN or zero trust networking.", "references": ["https://cloud.google.com/certificate-authority-service/docs"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1557.003", "attack_object_name": "DHCP Spoofing", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "related_score": "T1557", "comments": "Cloud NGFW can be configured with firewall rules to mitigate DHCP Spoofing.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1562.012", "attack_object_name": "Disable or Modify Linux Audit System", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1562", "comments": "Google Security Operations is able to trigger alerts based off inovcation of utilities (like auditctl).", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1564.011", "attack_object_name": "Ignore Process Interrupts", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1564", "comments": "Google Security Operations is able to trigger alerts based off command-line arguments and suspicious system processes.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "chrome_enterprise_premium", "capability_description": "Chrome Enterprise Premium", "mapping_type": "technique_scores", "attack_object_id": "T1567.003", "attack_object_name": "Exfiltration to Text Storage Sites", "capability_group": "chrome_enterprise_premium", "score_category": "protect", "score_value": "significant", "related_score": "T1567", "comments": "Chrome Enterprise Premium provides Data Loss Prevention (DLP) features that can detect and block sensitive data for files that are uploaded and downloaded and for content that is pasted or dragged and dropped via the Chrome browser. This can provide protection against adversaries that may try to steal data over network protocols.", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1567.004", "attack_object_name": "Exfiltration Over Webhook", "capability_group": "google_secops", "score_category": "detect", "score_value": "partial", "related_score": "T1567", "comments": "Google Security Operations can be configured to detect if a webhook-creating command is run.", "references": ["https://cloud.google.com/run/docs/triggering/webhooks", "'https://cloud.google.com/security/products/security-operations"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1574.013", "attack_object_name": "KernelCallbackTable", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1574", "comments": "Google Search Operations can alert based on Windows API calls such as WriteProcessMemory() and NtQueryInformationProcess().", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1578.005", "attack_object_name": "Modify Cloud Compute Configurations", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1578", "comments": "Google Security Operations is able to trigger an alert based on changes to the infrastructure (e.g., VPC network changes).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_vpc_network_changes.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1578.005", "attack_object_name": "Modify Cloud Compute Configurations", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "related_score": "T1578", "comments": "Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to gain access to permissions from modifying infrastructure components.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1578.005", "attack_object_name": "Modify Cloud Compute Configurations", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1578", "comments": "SCC detect changes to the cloud infrastructure and resources which could indicate malicious behavior (e.g., delete instances, create snapshot, revert cloud instance). This security solution protects against modifications potentially used to remove evidence and evade defenses. Because of the near-real time temporal factor and high detection coverage this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "mandiant_asm", "capability_description": "Mandiant Attack Surface Management (ASM)", "mapping_type": "technique_scores", "attack_object_id": "T1580", "attack_object_name": "Cloud Infrastructure Discovery", "capability_group": "mandiant_asm", "score_category": "detect", "score_value": "significant", "comments": "Mandiant Attack Surface Management continuously discovers and assesses an organization's assets for vulnerabilities, misconfigurations, and exposures. This control can discover vulnerable Remote Services offered on the cloud or on hosted servers. Since this monitoring is continual and is derived from Mandiant cyber threat intelligence, this control is scored as significant.", "references": ["https://cloud.google.com/security/products/attack-surface-management"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1584.007", "attack_object_name": "Serverless", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1584", "comments": "Google Security Operations can be configured to detect on Google App Scripts.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1585.003", "attack_object_name": "Cloud Accounts", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "partial", "related_score": "T1585", "comments": "This control can be used to mitigate cloud account creation.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1586.003", "attack_object_name": "Cloud Accounts", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "partial", "related_score": "T1586", "comments": "This control can be used to mitigate malicious attacks of cloud accounts by implementing multi-factor authentication techniques or password policies.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "mandiant_digital_threatmon", "capability_description": "Mandiant Digital Threat Monitoring", "mapping_type": "technique_scores", "attack_object_id": "T1591", "attack_object_name": "Gather Victim Org Information", "capability_group": "mandiant_digital_threatmon", "score_category": "detect", "score_value": "partial", "comments": "Mandiant Digital Threat Monitoring continually monitors for compromised credentials and data leaks on both the open and dark web. This control may protect against Gather Victim Org Information by alerting on custom data leaks. Since this control must depend on accessible sources for dumps, it does not protect against data that has been collected for a campaign but never posted, so the score is partial.", "references": ["https://cloud.google.com/security/products/digital-threat-monitoring"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1595.003", "attack_object_name": "Wordlist Scanning", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "related_score": "T1595", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1621", "attack_object_name": "Multi-Factor Authentication Request Generation", "capability_group": "cloud_identity", "score_category": "detect", "score_value": "partial", "comments": "The Identity Platform can establish limits and quotas for MFA.", "references": ["https://cloud.google.com/identity", "https://cloud.google.com/identity-platform/quotas"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1622", "attack_object_name": "Debugger Evasion", "capability_group": "google_secops", "score_category": "detect", "score_value": "partial", "comments": "Google Security Operations is able to trigger alerts based off API calls (such as IsDebuggerPresent()).", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1647", "attack_object_name": "Plist File Modification", "capability_group": "google_secops", "score_category": "detect", "score_value": "partial", "comments": "Google Security Operations is able to trigger alerts based on executed commands that modify files where plists are typically located.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1648", "attack_object_name": "Serverless Execution", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Operations can be configured to detect on Google App Scripts.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "identity_and_access_management", "capability_description": "Identity and Access Management", "mapping_type": "technique_scores", "attack_object_id": "T1648", "attack_object_name": "Serverless Execution", "capability_group": "identity_and_access_management", "score_category": "protect", "score_value": "partial", "comments": "GCP Identity and Access Management allows admins to set permissions based on accounts and account types.", "references": ["https://cloud.google.com/iam"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1649", "attack_object_name": "Steal or Forge Authentication Certificates", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Operations is able to trigger alerts based on executed commands that access where certificates are typically stored (e.g. %APPDATA%\\Microsoft\\SystemCertificates\\My\\Certificates\\).", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "identity_and_access_management", "capability_description": "Identity and Access Management", "mapping_type": "technique_scores", "attack_object_id": "T1651", "attack_object_name": "Cloud Administration Command", "capability_group": "identity_and_access_management", "score_category": "protect", "score_value": "partial", "comments": "IAM can be configured to minimize permissions to users and prevent unnecessary access to the gcloud CLI.", "references": ["https://cloud.google.com/iam"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1652", "attack_object_name": "Device Driver Discovery", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Operations is able to trigger alerts based off API calls (such as EnumDeviceDrivers()) that may attempt to gather information about local device drivers.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1654", "attack_object_name": "Log Enumeration", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Operations is able to trigger alerts based off use of utilities used to enumerate logs (like wevutil.exe).", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "identity_and_access_management", "capability_description": "Identity and Access Management", "mapping_type": "technique_scores", "attack_object_id": "T1654", "attack_object_name": "Log Enumeration", "capability_group": "identity_and_access_management", "score_category": "protect", "score_value": "partial", "comments": "IAM can be configured to minimize permissions to users and prevent unnecessary access to logs.", "references": ["https://cloud.google.com/iam"]}, {"capability_id": "cloud_vpn", "capability_description": "Cloud VPN", "mapping_type": "technique_scores", "attack_object_id": "T1659", "attack_object_name": "Content Injection", "capability_group": "cloud_vpn", "score_category": "protect", "score_value": "significant", "comments": "Cloud VPN encrypts data in transit, restricting an adversary's ability to inject content.", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"]}, {"capability_id": "identity_and_access_management", "capability_description": "Identity and Access Management", "mapping_type": "technique_scores", "attack_object_id": "T1666", "attack_object_name": "Modify Cloud Resource Hierarchy", "capability_group": "identity_and_access_management", "score_category": "protect", "score_value": "partial", "comments": "IAM can be configured to minimize permissions to users and limit users' ability to add, delete, or modify resource groups.", "references": ["https://cloud.google.com/iam"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1003", "attack_object_name": "OS Credential Dumping", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Operations is able to detect suspicious command-line process attempted to escalate privileges.  Examples of credential access system events include:\n(e.g.,\"re.regex($selection.target.registry.registry_value_data, `.*DumpCreds.*`) or re.regex($selection.target.registry.registry_value_data, `.*Mimikatz.*`) or re.regex($selection.target.registry.registry_value_data, `.*PWCrack.*`) or $selection.target.registry.registry_value_data = \"HTool/WCE\" or re.regex($selection.target.registry.registry_value_data, `.*PSWtool.*`) or re.regex($selection.target.registry.registry_value_data, `.*PWDump.*`)).\n\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/antivirus/antivirus_password_dumper_detection.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1003.001", "attack_object_name": "LSASS Memory", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1003", "comments": "Google SecOps is able to detect suspicious command-line process attempted to escalate privileges. For example: access credential material stored in the procecss memory of the Local Security Authority Subsystem Service (LSASS) on Windows machines (e.g., lsass\\.exe). \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows", "references": ["https://cloud.google.com/security/products/security-operations", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1003.003", "attack_object_name": "NTDS", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1003", "comments": "Google SecOps is able to trigger an alert based on process creations and  attacks against the NTDS database on Windows platforms (e.g., execution of \"ntdsutil.exe\")\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows", "references": ["https://cloud.google.com/security/products/security-operations", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1011", "attack_object_name": "Exfiltration Over Other Network Medium", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google SecOps is able to trigger an alert based off suspicious system processes or command-line arguments that could indicate exfiltration of data over other network mediums.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/tree/main/suspicious\n\n", "references": ["https://cloud.google.com/security/products/security-operations", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1014", "attack_object_name": "Rootkit", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "comments": "SCC is able to detect when secure boot is not enabled. Adversaries may use this weakness to abuse pre-boot mechanisms and persist on compromised systems (e.g., rootkit). This technique was graded as significant due to the real-time temporal factor.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "shielded_vm", "capability_description": "Shielded VM", "mapping_type": "technique_scores", "attack_object_id": "T1014", "attack_object_name": "Rootkit", "capability_group": "shielded_vm", "score_category": "protect", "score_value": "partial", "comments": "This control is able to mitigate the use of rootkits that target any portion of the boot process, such as malicious modification of the Master Boot Record or UEFI. This control does not mitigate rootkits that exist in the kernel or userland.", "references": ["https://cloud.google.com/compute/shielded-vm/docs/shielded-vm"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1016", "attack_object_name": "System Network Configuration Discovery", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based off processes and command-line arguments that may indicate adversary reconnaissance and information discovery techniques for network configuration settings (e.g., \"net config\", \"ipconfig.exe\", \"nbtstat.exe).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1018", "attack_object_name": "Remote System Discovery", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from discovering endpoints behind the firewall. This mapping is given a score of Partial because it does not protect against discovering endpoints within the network and behind the firewall.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1018", "attack_object_name": "Remote System Discovery", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops attempts to identify remote systems via ping sweep. This technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/remote_system_discovery___ping_sweep.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1018", "attack_object_name": "Remote System Discovery", "capability_group": "google_secops", "score_category": "protect", "score_value": "partial", "comments": "Google Security Ops typically filters external network traffic and therefore can be effective for preventing external remote system discovery. Activity originating from inside the trusted network is not mitigated.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1018", "attack_object_name": "Remote System Discovery", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "comments": "VPC security perimeters can segment private resources to deny traffic based on organizational policy.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1020", "attack_object_name": "Automated Exfiltration", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "comments": "Cloud IDS spyware signatures are able to detect data exfiltration attempts over command and control communications, which is often used by adversaries to compromise sensitive data. Although there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on Cloud IDS's advanced threat detection technology which continually updates to detect against the latest known variations of these attacks.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1020", "attack_object_name": "Automated Exfiltration", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based off suspicious sytem processes, such as using bitsadmin to automatically exfiltrate data from Windows machines (e.g., \".*\\\\bitsadmin\\.exe\"). This mapping is scored as minimal based on low or uncertain detection coverage factor for this technique.\n\nhttps://github.com/chronicle/detection-rules/blob/main/soc_prime_rules/threat_hunting/windows/data_exfiltration_attempt_via_bitsadmin.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1021", "attack_object_name": "Remote Services", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Implementing MFA on remote service logons prevents adversaries from using valid accounts to access those services.\n", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1021", "attack_object_name": "Remote Services", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts for most of the sub-techniques (5 of 6), it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1021", "attack_object_name": "Remote Services", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to detect an alert based on system events, such as remote service connections. This mapping was scored as minimal based on low or uncertain detection coverage factor of this technique.\n\nhttps://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1021.002", "attack_object_name": "SMB/Windows Admin Shares", "capability_group": "security_command_center", "score_category": "detect", "score_value": "minimal", "related_score": "T1021", "comments": "Chronicle is able to trigger an alert for net use commands detected for SMB/Windows admin shares (e.g., \" net use.* (C|ADMIN|IPC)$\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_connections_discovery__sysmon_windows_logs.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "shielded_vm", "capability_description": "Shielded VM", "mapping_type": "technique_scores", "attack_object_id": "T1021.004", "attack_object_name": "SSH", "capability_group": "shielded_vm", "score_category": "detect", "score_value": "minimal", "related_score": "T1021", "comments": "Chronicle is able to trigger an alert based on accounts and authorized device access to a certain IP range (e.g., \"Attempted Lateral Movement via SSH metadata pivoting\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/tree/main/gcp_cloudaudit", "references": ["https://cloud.google.com/security/products/security-operations", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1021.004", "attack_object_name": "SSH", "capability_group": "vpc_service_controls", "score_category": "detect", "score_value": "minimal", "related_score": "T1021", "comments": "This control can be used to detect adversaries that may try to use Valid Accounts to log into remote machines using Secure Shell (SSH).", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1027", "attack_object_name": "Obfuscated Files or Information", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based off suspicious command line arguments or processes that indicate obfuscation techniques to evade cyber defenses. For example, when cmd.exe has been obfuscated. This mapping was scored as minimal based on low or uncertain detection coverage factor of the technique.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detect_cmd_exe_obfuscation.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/ursnif_trojan_detection__cmd_obfuscation.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1027.004", "attack_object_name": "Compile After Delivery", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1027", "comments": "Google Security Ops can trigger an alert based on delivery of encrypted or encoded payloads with uncompiled code. This mapping was scored as minimal based on low detection coverage factor of the technique.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/encoded_iex.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1033", "attack_object_name": "System Owner/User Discovery", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Operations is able to trigger an alert based off command-line arguments that could indicate adversary's attempting to get information about system users (e.g., primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_owner_user_discovery__sysmon_windows_logs.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1036", "attack_object_name": "Masquerading", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Operations is able to trigger an alert based on Windows starting uncommon processes  (e.g., Detects Winword starting uncommon sub process MicroScMgmt.exe used for CVE-2015-1641).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/process_creation/exploit_for_cve_2015_1641.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "binary_authorization", "capability_description": "Binary Authorization", "mapping_type": "technique_scores", "attack_object_id": "T1036.001", "attack_object_name": "Invalid Code Signature", "capability_group": "binary_authorization", "score_category": "protect", "score_value": "significant", "related_score": "T1036", "comments": "Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1036.005", "attack_object_name": "Match Legitimate Name or Location", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1036", "comments": "Google Security Operations can trigger an alert based on malware masquerading as legitimate process for example, Adobe's Acrobat Reader (e.g., re.regex($selection.target.process.file.full_path, `.*\\\\AcroRD32\\.exe).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/sysmon/detects_malware_acrord32_exe_execution_process.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1037", "attack_object_name": "Boot or Logon Initialization Scripts", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on registry modifications related to custom logon scripts. (e.g., \"REGISTRY_CREATION\", \"\"REGISTRY_MODIFICATION\", \"HKCU|HKEY_CURRENT_USER\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1547_001_windows_registry_run_keys_startup_folder.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1037.003", "attack_object_name": "Network Logon Script", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1037", "comments": "Google Security Ops triggers an alert based on suspicious connections (e.g., Netlogon connections).\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/system/vulnerable_netlogon_secure_channel_connection_allowed.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/logon_scripts__userinitmprlogonscript.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "backup_and_dr_actifiogo", "capability_description": "Backup and DR-Actifio GO", "mapping_type": "technique_scores", "attack_object_id": "T1040", "attack_object_name": "Network Sniffing", "capability_group": "backup_and_dr_actifiogo", "score_category": "protect", "score_value": "minimal", "comments": "Backup and DR-Actifio GO provides encryption in transit for data traveling between Actifio appliances and other systems during backup and recovery operations. Data is encrypted while it travels across the network, providing protection against Network Sniffing since adversaries would be unable to read encrypted traffic. However, this is only relevant when traffic is being backed up, which is a small amount of the time. This results in a score of Minimal.", "references": ["https://cloud.google.com/backup-disaster-recovery/docs/configuration/cbb", "https://cloud.google.com/backup-disaster-recovery"]}, {"capability_id": "certificate_authority_service", "capability_description": "Certificate Authority Service", "mapping_type": "technique_scores", "attack_object_id": "T1040", "attack_object_name": "Network Sniffing", "capability_group": "certificate_authority_service", "score_category": "protect", "score_value": "minimal", "comments": "This control may mitigate against Network Sniffing by providing certificates for internal endpoints and applications to use with asymmetric encryption. This control helps protect the issuing Certificate Authority with the use of Google's IAM and policy controls.", "references": ["https://cloud.google.com/certificate-authority-service/docs"]}, {"capability_id": "cloud_vpn", "capability_description": "Cloud VPN", "mapping_type": "technique_scores", "attack_object_id": "T1040", "attack_object_name": "Network Sniffing", "capability_group": "cloud_vpn", "score_category": "protect", "score_value": "significant", "comments": "Cloud VPN enables traffic traveling between the two networks, and it is encrypted by one VPN gateway and then decrypted by the other VPN gateway. This action protects users' data as it travels over the internet. This control may prevent adversaries from sniffing network traffic. ", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"]}, {"capability_id": "secret_manager", "capability_description": "Secret Manager", "mapping_type": "technique_scores", "attack_object_id": "T1040", "attack_object_name": "Network Sniffing", "capability_group": "secret_manager", "score_category": "protect", "score_value": "minimal", "comments": "This control provides secure methods for accessing secrets and passwords. This can reduce the incidents of credentials and other authentication material being transmitted in clear-text or by insecure encryption methods. Any communication between applications or endpoints after access to Secret Manager may not be secure.", "references": ["https://cloud.google.com/secret-manager/docs/overview"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1040", "attack_object_name": "Network Sniffing", "capability_group": "security_command_center", "score_category": "protect", "score_value": "minimal", "comments": "Using Web Security Scanner, SCC is able to detect when passwords are transmitted in cleartext. Adversaries may use this traffic mirroring services to sniff traffic and intercept unencrypted credentials. This technique was graded as partial due to the low protect coverage when transmitting passwords in clear-text and there is more information that could be gathered during a network sniffing attacks. ", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1041", "attack_object_name": "Exfiltration Over C2 Channel", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "comments": "Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts and anomalies over known command and control communications.\n\nAlthough there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on  Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1041", "attack_object_name": "Exfiltration Over C2 Channel", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1041", "attack_object_name": "Exfiltration Over C2 Channel", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based off suspicious system processes or command-line arguments that could indicate exfiltration of data over the C2 channel.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/possible_data_exfiltration_via_smtp.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/data_exfiltration_attempt_via_bitsadmin.yaral\n\n", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_armor", "capability_description": "Cloud Armor", "mapping_type": "technique_scores", "attack_object_id": "T1046", "attack_object_name": "Network Service Discovery", "capability_group": "cloud_armor", "score_category": "protect", "score_value": "partial", "comments": "Cloud Armor filters external network traffic and therefore can be effective for preventing external network service scanning. Network service scanning originating from inside the trusted network is not mitigated.", "references": ["https://cloud.google.com/armor"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1046", "attack_object_name": "Network Service Discovery", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against network service scanning. This mapping is given a score of Partial because it only protects against network service scanning attacks that originate from outside the firewall and not from within network protected by the firewall.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1046", "attack_object_name": "Network Service Discovery", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "comments": "VPC security perimeters can limit the impact from active scanning and lateral movement techniques used to exploit the target environment.", "references": ["https://cloud.google.com/vpc-service-controls/docs"]}, {"capability_id": "chrome_enterprise_premium", "capability_description": "Chrome Enterprise Premium", "mapping_type": "technique_scores", "attack_object_id": "T1048", "attack_object_name": "Exfiltration Over Alternative Protocol", "capability_group": "chrome_enterprise_premium", "score_category": "protect", "score_value": "significant", "comments": "Chrome Enterprise Premium provides Data Loss Prevention (DLP) features that can detect and block sensitive data for files that are uploaded and downloaded and for content that is pasted or dragged and dropped via the Chrome browser. This can provide protection against adversaries that may try to steal data over network protocols.", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1048", "attack_object_name": "Exfiltration Over Alternative Protocol", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "comments": "Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts over command and control communications.\n\nAlthough there are ways an attacker could still exfiltrate data from a compromised system, this technique was scored as significant based on  Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1048", "attack_object_name": "Exfiltration Over Alternative Protocol", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources from which to exfiltrate data as well as prevent resources from communicating with known-bad IP addresses and domains that might be used to receive exfiltrated data. This mapping is given a score of Partial because the known-bad IP addresses and domains would need to be known in advance and AWS Network Firewall wouldn't have deep packet inspection visibility into encrypted non-C2 protocols.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1048", "attack_object_name": "Exfiltration Over Alternative Protocol", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based off suspicious system processes that could indicate exfiltration attempts using cURL from Windows machines (e.g., C:\\\\Windows\\\\System32\\\\curl.exe).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_curl_usage.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1049", "attack_object_name": "System Network Connections Discovery", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based off command-line arguments that could indicate adversary's attempting to get information about network connections (e.g., \"net config\", \"net use\", \"net file\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_connections_discovery__sysmon_windows_logs.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1052", "attack_object_name": "Exfiltration Over Physical Medium", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger alerts based on system events, such as: USB device detected.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/info/usb_new_device.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/usb_device_plugged.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_endpoints", "capability_description": "Cloud Endpoints", "mapping_type": "technique_scores", "attack_object_id": "T1052.001", "attack_object_name": "Exfiltration over USB", "capability_group": "cloud_endpoints", "score_category": "protect", "score_value": "partial", "related_score": "T1052", "comments": "The Cloud Endpoints capability can prevent exfiltration over USB by disabling USB file transfers on enrolled devices through features like device control.", "references": ["https://cloud.google.com/endpoints/docs", "https://cloud.google.com/endpoints/docs/frameworks/python/migrating", "https://support.google.com/a/answer/1734200"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1052.001", "attack_object_name": "Exfiltration over USB", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1052", "comments": "Google Security Ops is able to trigger an alert based on events, such as \"new USB device is connected to a system\".\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/usb_device_plugged.yaral\n", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1053", "attack_object_name": "Scheduled Task/Job", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on  suspicious modifications to the infrastructure, such as: new task scheduling to execute programs. \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/a_scheduled_task_was_created.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1053_005_windows_creation_of_scheduled_task.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1053.005", "attack_object_name": "Scheduled Task", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1053", "comments": "Google Security Ops is able to trigger an alert based on scheduled tasks using the command line (e.g., \"schtasks /create\"). \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1053_005_windows_creation_of_scheduled_task.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "binary_authorization", "capability_description": "Binary Authorization", "mapping_type": "technique_scores", "attack_object_id": "T1053.007", "attack_object_name": "Container Orchestration Job", "capability_group": "binary_authorization", "score_category": "protect", "score_value": "significant", "related_score": "T1053", "comments": "Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"]}, {"capability_id": "google_kubernetes_engine", "capability_description": "Google Kubernetes Engine", "mapping_type": "technique_scores", "attack_object_id": "T1053.007", "attack_object_name": "Container Orchestration Job", "capability_group": "google_kubernetes_engine", "score_category": "protect", "score_value": "partial", "related_score": "T1053", "comments": "GKE provides the ability to audit against a set of recommended benchmark [Center for Internet Security (CIS)]. This control may avoid privileged containers and running containers as root.", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1055", "attack_object_name": "Process Injection", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops can trigger an alert based on suspicious running processes that could be used to evade defenses and escalate privileges. (e.g., directory traversal attempts via attachment downloads).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1055.002", "attack_object_name": "Portable Executable Injection", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "related_score": "T1055", "comments": "Often used by adversaries to escalate privileges and automatically run on Windows systems, Palo Alto Network's antivirus signatures is able to detect malware found in portable executables (PE).\n\nAlthough there are ways an attacker could avoid detection to deliver a malicious PE file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1056", "attack_object_name": "Input Capture", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on adversary methods of obtaining credentials or collecting information (e.g., web skimming attacks). \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/proxy/the_gocgle_malicious_campaign.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1056.003", "attack_object_name": "Web Portal Capture", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1056", "comments": "Google Security Ops is able to trigger an alert based on adversary methods of obtaining credentials or collecting information (e.g., web skimming attacks). \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/proxy/the_gocgle_malicious_campaign.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1056.004", "attack_object_name": "Credential API Hooking", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1056", "comments": "Google Security Ops is able to trigger an alert based on adversary methods of obtaining credentials or collecting information (e.g., web skimming attacks). \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/proxy/the_gocgle_malicious_campaign.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1057", "attack_object_name": "Process Discovery", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based off command-line arguments that could indicate adversary's attempting to get information about running processes on Windows machines (e.g., \"tasklist.exe\", \"Get-Process.*\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_process_enumeration__sysmon_windows_logs.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/fake_zoom_installer_exe__devil_shadow_botnet.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1059", "attack_object_name": "Command and Scripting Interpreter", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert  based on system events of interest, for example: decoding Windows payloads using \\\"certutil.exe\\\" functionality.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "virus_total", "capability_description": "Virus Total", "mapping_type": "technique_scores", "attack_object_id": "T1059", "attack_object_name": "Command and Scripting Interpreter", "capability_group": "virus_total", "score_category": "protect", "score_value": "significant", "comments": "VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats. ", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1059.003", "attack_object_name": "Windows Command Shell", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1059", "comments": "Google Security Ops is able to trigger an alert based on suspicious behavior seen in the Windows command line.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/tree/main/soc_prime_rules/threat_hunting/windows\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1059.004", "attack_object_name": "Unix Shell", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1059", "comments": "SCC uses machine learning [NLP techniques] to evaluate content of an executed bash script. This security solution protects against potentially malicious scripts that are used to execute commands in compromised systems. Because of the high threat detection coverage provided by the ML model and near-real time temporal factor this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1059.007", "attack_object_name": "JavaScript", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1059", "comments": "Google Security Ops triggers an alert based on webshell connections which are used to establish persistent access to a compromised machine [backdoor]. (e.g., `.*/config/keystore/.*\\.js.*).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/webserver/oracle_weblogic_exploit.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger alert based on suspicious command line behavior that could indicate remote code exploitation attempts (e.g., detect exploits using child processes spawned by Windows DNS processes).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/process_creation/cve_2020_1350_dns_remote_code_exploit__sigred___via_cmdline.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "comments": "Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to perform privilege escalation via permission levels and software exploitation.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "vm_manager", "capability_description": "VM Manager", "mapping_type": "technique_scores", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "vm_manager", "score_category": "protect", "score_value": "partial", "comments": "VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.", "references": ["https://cloud.google.com/compute/docs/vm-manager"]}, {"capability_id": "identity_and_access_management", "capability_description": "Identity and Access Management", "mapping_type": "technique_scores", "attack_object_id": "T1069", "attack_object_name": "Permission Groups Discovery", "capability_group": "identity_and_access_management", "score_category": "protect", "score_value": "minimal", "comments": "Group permissions and settings are inherited using the IAM roles that are specifically granted to that group by admins. This control provides protection of possible adversaries that may determine which user accounts and groups memberships are available in cloud accounts. Received a score of Minimal because it only covers one of the sub-techniques.", "references": ["https://cloud.google.com/iam"]}, {"capability_id": "identity_and_access_management", "capability_description": "Identity and Access Management", "mapping_type": "technique_scores", "attack_object_id": "T1069.003", "attack_object_name": "Cloud Groups", "capability_group": "identity_and_access_management", "score_category": "protect", "score_value": "minimal", "related_score": "T1069", "comments": "Group permissions and settings are inherited using the IAM roles that are specifically granted to that group by admins. This control provides protection of possible adversaries that may determine which user accounts and groups memberships are available in cloud accounts. Received a score of Minimal because it only covers one of the sub-techniques.", "references": ["https://cloud.google.com/iam"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1070", "attack_object_name": "Indicator Removal", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Operations is able to trigger an alert when logs are cleared from the infrastructure.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1070", "attack_object_name": "Indicator Removal", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "comments": "SCC is able to detect when audit logging has been disabled for a resource. Adversaries may use this weakness to hide their activity and remove evidence of their presence (e.g., clear command history, clear logs, file deletion). This technique was graded as significant due to the high detect coverage and real-time temporal factor.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1070.001", "attack_object_name": "Clear Windows Event Logs", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1070", "comments": "Google Security Ops is able to trigger an alert based on suspicious system events used to evade defenses, such as deletion of Windows security event logs. \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1070.002", "attack_object_name": "Clear Linux or Mac System Logs", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1070", "comments": "Google Security Ops is able to trigger an alert based on system events, such as deletion of cloud audit logs. \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_log_deletion.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1070.004", "attack_object_name": "File Deletion", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1070", "comments": "Google Security Ops is able to trigger an alert based off system processes that indicate when backup catalogs are deleted from a windows machine. \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/backup_catalog_deleted.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1070.006", "attack_object_name": "Timestomp", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1070", "comments": "Google Security Ops is able to trigger an alert based off modifications to file time attributes to hide changes to existing files on Windows machines.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/file_creation_time_changed_via_powershell.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1071", "attack_object_name": "Application Layer Protocol", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "significant", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block malicious or unwanted traffic leveraging application layer protocols. Given this supports all sub-techniques, the mapping is given a score of Significant.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1071", "attack_object_name": "Application Layer Protocol", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on suspicious modifications to the network infrastructure. \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/tree/main/gcp_cloudaudit\n\nhttps://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_vpc_network_changes.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "chrome_enterprise_premium", "capability_description": "Chrome Enterprise Premium", "mapping_type": "technique_scores", "attack_object_id": "T1071.001", "attack_object_name": "Web Protocols", "capability_group": "chrome_enterprise_premium", "score_category": "detect", "score_value": "significant", "related_score": "T1071", "comments": "Chrome Enterprise Premium provides checks for sensitive data and protection from content that may contain malware. This also enables certain files to be sent for analysis, and in return the admin can then choose to allow or block uploads and downloads for those scanned and unscanned files. End users can also be prevented from accessing pages specified by a list of URL patterns.", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1071.001", "attack_object_name": "Web Protocols", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1071", "comments": "Google Security Ops is able to trigger an alert  based on system events of interest, for example: detection of the Sunburst C2 channel used as backdoor access in the SolarWinds compromise.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/dns/solarwinds_backdoor_c2_host_name_detected___via_dns.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1071.004", "attack_object_name": "DNS", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1071", "comments": "SCC is able to ingest Cloud DNS logs and detect DNS queries that could indicate active Log4j vulnerable to remote code execution. Because of the near-real time temporal factor for detection this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "artifact_analysis", "capability_description": "Artifact Analysis", "mapping_type": "technique_scores", "attack_object_id": "T1072", "attack_object_name": "Software Deployment Tools", "capability_group": "artifact_analysis", "score_category": "protect", "score_value": "minimal", "comments": "Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect variations to store system packages and container images.", "references": ["https://cloud.google.com/artifact-analysis/docs/artifact-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview", "https://cloud.google.com/container-registry/docs/container-analysis"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1072", "attack_object_name": "Software Deployment Tools", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger alerts based off suspicious activity on a Linux host that could indicate a bind or reverse shell with Netcat tool.  Note: This rule requires installation of auditbeat on the host machine to properly function. \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/linux/possible_bind_or_reverse_shell_via_netcat__auditbeat_for_linux.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "vm_manager", "capability_description": "VM Manager", "mapping_type": "technique_scores", "attack_object_id": "T1072", "attack_object_name": "Software Deployment Tools", "capability_group": "vm_manager", "score_category": "protect", "score_value": "partial", "comments": "VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.", "references": ["https://cloud.google.com/compute/docs/vm-manager"]}, {"capability_id": "cloud_asset_inventory", "capability_description": "Cloud Asset Inventory", "mapping_type": "technique_scores", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "cloud_asset_inventory", "score_category": "detect", "score_value": "partial", "comments": "This control may be able to detect when adversaries use valid cloud accounts to elevate privileges through manipulation of IAM or access policies. This monitoring can be fine tuned to specific assets, policies, and organizations.", "references": ["https://cloud.google.com/asset-inventory/docs/overview"]}, {"capability_id": "cloud_endpoints", "capability_description": "Cloud Endpoints", "mapping_type": "technique_scores", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "cloud_endpoints", "score_category": "respond", "score_value": "partial", "comments": "The Cloud Endpoints capability provides support for multiple authentication methods, including API keys and Google ID tokens. Implementing multi-factor authentication (MFA) across account types, including local, domain, and cloud accounts, can prevent unauthorized access even if credentials are compromised.", "references": ["https://cloud.google.com/endpoints/docs", "https://cloud.google.com/endpoints/docs/frameworks/python/migrating", "https://support.google.com/a/answer/1734200"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "partial", "comments": "This control can be used to mitigate malicious attacks of cloud accounts by implementing multi-factor authentication techniques or password policies.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "gke_enterprise", "capability_description": "GKE Enterprise", "mapping_type": "technique_scores", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "gke_enterprise", "score_category": "protect", "score_value": "partial", "comments": "GKE Enterprise incorporates the Anthos Config Management feature to create and manage Kubernetes objects across multiple clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root Linux user. Based on the medium detection coverage, this was scored as partial.", "references": ["https://cloud.google.com/kubernetes-engine/enterprise/docs"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on RDP logons from non-private IP ranges. \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/active_directory_security/security/remote_desktop_from_internet__via_audit.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "identity_and_access_management", "capability_description": "Identity and Access Management", "mapping_type": "technique_scores", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "identity_and_access_management", "score_category": "protect", "score_value": "partial", "comments": "This control may mitigate the impact of compromised valid accounts by enabling fine-grained access policies and implementing least-privilege policies. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.", "references": ["https://cloud.google.com/iam"]}, {"capability_id": "identity_aware_proxy", "capability_description": "Identity Aware Proxy", "mapping_type": "technique_scores", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "identity_aware_proxy", "score_category": "protect", "score_value": "partial", "comments": "IAP applies the relevant IAM policy to check if the user is authorized to access the requested resource. If the user has the IAP-secured Web App User role on the Cloud console project where the resource exists, they're authorized to access the application. This control can mitigate against adversaries that try to obtain credentials of accounts, including cloud accounts.", "references": ["https://cloud.google.com/iap"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "identity_platform", "score_category": "protect", "score_value": "partial", "comments": " Identity Platform lets you add Google-grade authentication to your apps and services, making it easier to secure user accounts and securely managing credentials. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted. ", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "comments": "Adversaries may obtain and abuse credentials of a cloud account by gaining access through means of Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Policy Intelligence role recommendations generated by IAM Recommender help enforce least privilege principals to ensure that permission levels are properly managed.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "resource_manager", "score_category": "protect", "score_value": "minimal", "comments": "Adversaries may attempt to obtain credentials of existing account through privilege escalation or defense evasion. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "comments": "This control is able to mitigate against abuse of compromised valid accounts by restricting access from those accounts to resources contained within the VPC perimeter the account belongs to. Resources and services contained in other VPC networks also cannot be accessed by user accounts that are not within the VPC network perimeter.", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"]}, {"capability_id": "gke_enterprise", "capability_description": "GKE Enterprise", "mapping_type": "technique_scores", "attack_object_id": "T1078.001", "attack_object_name": "Default Accounts", "capability_group": "gke_enterprise", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "GKE Enterprise incorporates the Anthos Config Management feature to create and manage Kubernetes objects across multiple clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root Linux user. Based on the medium detection coverage, this sub-technique was scored as partial.", "references": ["https://cloud.google.com/kubernetes-engine/enterprise/docs"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1078.001", "attack_object_name": "Default Accounts", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1078", "comments": "SCC is able to detect when default service accounts are used. Adversaries may use this attack as a means to gain initial access, privilege escalation, or defense evasion. This subtechnique was graded as significant due to the high detect coverage and near-real time temporal factor.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1078.002", "attack_object_name": "Domain Accounts", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "related_score": "T1078", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.\n", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1078.002", "attack_object_name": "Domain Accounts", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "This control can be used to mitigate malicious attacks of domain accounts by implementing multi-factor authentication techniques or password policies.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1078.003", "attack_object_name": "Local Accounts", "capability_group": "identity_platform", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": " Identity Platform lets you add Google-grade authentication to your apps and services, making it easier to secure user accounts and securely managing credentials. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted. ", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "related_score": "T1078", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.\n", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "cloud_asset_inventory", "capability_description": "Cloud Asset Inventory", "mapping_type": "technique_scores", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "cloud_asset_inventory", "score_category": "detect", "score_value": "partial", "related_score": "T1078", "comments": "This control may be able to detect when adversaries use valid cloud accounts to elevate privileges through manipulation of IAM or access policies. This monitoring can be fine tuned to specific assets, policies, and organizations.", "references": ["https://cloud.google.com/asset-inventory/docs/overview"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "This control can be used to mitigate malicious attacks of cloud accounts by implementing multi-factor authentication techniques or password policies.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "gke_enterprise", "capability_description": "GKE Enterprise", "mapping_type": "technique_scores", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "gke_enterprise", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "GKE Enterprise incorporates the Anthos Config Management feature to create and manage Kubernetes objects across multiple clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root Linux user. Based on the medium detection coverage, this sub-technique was scored as partial.", "references": ["https://cloud.google.com/kubernetes-engine/enterprise/docs"]}, {"capability_id": "identity_and_access_management", "capability_description": "Identity and Access Management", "mapping_type": "technique_scores", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "identity_and_access_management", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "This control protects against malicious use of cloud accounts and gaining access to them.   This control may mitigate the impact of compromised valid accounts by enabling fine-grained access policies and implementing least-privilege policies. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.", "references": ["https://cloud.google.com/iam"]}, {"capability_id": "identity_aware_proxy", "capability_description": "Identity Aware Proxy", "mapping_type": "technique_scores", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "identity_aware_proxy", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "Protects access to applications hosted within cloud and other premises. ", "references": ["https://cloud.google.com/iap"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "identity_platform", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": " Identity Platform lets you add Google-grade authentication to your apps and services, making it easier to secure user accounts and securely managing credentials. MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted. ", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "Adversaries may obtain and abuse credentials of a cloud account by gaining access through means of Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Policy Intelligence role recommendations generated by IAM Recommender help enforce least privilege principals to ensure that permission levels are properly managed.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "recaptcha_enterprise", "capability_description": "ReCAPTCHA Enterprise", "mapping_type": "technique_scores", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "recaptcha_enterprise", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "ReCAPTCHA Enterprise allows users to configure Multifactor Authentication (MFA) to verify user's identity by sending a verification code by email or SMS (known as an MFA challenge). When ReCAPTCHA Enterprise assesses that user activity to exceeds a predetermined threshold (by the developer), it can trigger an MFA challenge to verify the user. This increases the likelihood that a compromised account will be prevented from impacting the system.\n\nSince ReCAPTCHA Enterprise does not require a MFA challenge for all user activity, it has been given a rating of Partial.\n", "references": ["https://cloud.google.com/recaptcha-enterprise"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "resource_manager", "score_category": "protect", "score_value": "minimal", "related_score": "T1078", "comments": "Adversaries may attempt to obtain credentials of existing account through privilege escalation or defense evasion. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1078", "comments": "SCC ingests Cloud Audit logs to detect when an external member is added to a privileged group with sensitive permissions or roles. This security solution protects against compromised cloud accounts used to maintain persistence and harvest sensitive data. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1082", "attack_object_name": "System Information Discovery", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on suspicious network behavior seen in malware RAT, such as Netwire activity via WScript or detect the utilization of wmic.exe in order to obtain specific system information.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/detect_enumeration_via_wmi.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1087", "attack_object_name": "Account Discovery", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based off command line arguments and suspicious system processes that could indicate adversary's account discovery techniques.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/account_discovery_activity_detector__sysmon_behavior.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "identity_and_access_management", "capability_description": "Identity and Access Management", "mapping_type": "technique_scores", "attack_object_id": "T1087", "attack_object_name": "Account Discovery", "capability_group": "identity_and_access_management", "score_category": "protect", "score_value": "minimal", "comments": "This control protects against adversaries gaining access to accounts within a specific environment or determining which accounts exists to follow on with malicious behavior. The usage of GCP IAM enables admins to grant access to cloud resources at fine-grained levels, possibly preventing adversaries of malicious use of cloud accounts and gaining access to them.  This control receives a minimal score since it only covers one of the few sub-techniques.", "references": ["https://cloud.google.com/iam"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1087", "attack_object_name": "Account Discovery", "capability_group": "identity_platform", "score_category": "protect", "score_value": "partial", "comments": "Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications, protect user accounts, and scale with confidence on Google Cloud. With this, permissions are limited to discover cloud accounts in accordance with least privilege and adversaries may be prevented from getting access to a listing of domain accounts.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1087", "attack_object_name": "Account Discovery", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "comments": "This control can be used to limit permissions to discover user accounts in accordance with least privilege principles and thereby limits the accounts that can be used for account discovery.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1087", "attack_object_name": "Account Discovery", "capability_group": "resource_manager", "score_category": "detect", "score_value": "minimal", "comments": "Adversaries may attempt to get a listing of cloud accounts that are created and configured by an organization or admin. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1087.002", "attack_object_name": "Domain Account", "capability_group": "identity_platform", "score_category": "protect", "score_value": "partial", "related_score": "T1087", "comments": "Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications, protect user accounts, and scale with confidence on Google Cloud. With this, permissions are limited to discover cloud accounts in accordance with least privilege and adversaries may be prevented from getting access to a listing of domain accounts.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1087.004", "attack_object_name": "Cloud Account", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1087", "comments": "Google Security Ops is able to trigger an alert based off command line arguments and suspicious system processes that could indicate adversary's account discovery techniques (e.g., \"net user /domain\", \"C:\\\\Windows\\\\System32\\\\net.exe\", \"C:\\\\Windows\\\\System32\\\\query.exe).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/account_discovery_activity_detector__sysmon_behavior.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "identity_and_access_management", "capability_description": "Identity and Access Management", "mapping_type": "technique_scores", "attack_object_id": "T1087.004", "attack_object_name": "Cloud Account", "capability_group": "identity_and_access_management", "score_category": "protect", "score_value": "partial", "related_score": "T1087", "comments": "This control can be used to implement the least-privilege principle for account management and thereby limit the accounts that can be used for account discovery. This control receives a minimal score since it only covers one of the few sub-techniques.", "references": ["https://cloud.google.com/iam"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1087.004", "attack_object_name": "Cloud Account", "capability_group": "identity_platform", "score_category": "protect", "score_value": "partial", "related_score": "T1087", "comments": "Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications, protect user accounts, and scale with confidence on Google Cloud. With this, permissions are limited to discover cloud accounts in accordance with least privilege and adversaries may be prevented from getting access to a listing of cloud accounts.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1087.004", "attack_object_name": "Cloud Account", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "related_score": "T1087", "comments": "This control can be used to limit permissions to discover cloud accounts in accordance with least privilege principles and thereby limits the accounts that can be used for account discovery.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1087.004", "attack_object_name": "Cloud Account", "capability_group": "resource_manager", "score_category": "protect", "score_value": "minimal", "related_score": "T1087", "comments": "This control may mitigate adversaries that attempt to get a listing of cloud accounts, such as use of calls to cloud APIs that perform account discovery.", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1087.004", "attack_object_name": "Cloud Account", "capability_group": "resource_manager", "score_category": "detect", "score_value": "minimal", "related_score": "T1087", "comments": "Adversaries may attempt to get a listing of cloud accounts that are created and configured by an organization or admin. IAM audit logging in GCP can be used to determine roles and permissions, along with routinely checking user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "cloud_armor", "capability_description": "Cloud Armor", "mapping_type": "technique_scores", "attack_object_id": "T1090", "attack_object_name": "Proxy", "capability_group": "cloud_armor", "score_category": "protect", "score_value": "partial", "comments": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of Cloud Armor network allow and block lists. However this can be circumvented by other techniques.", "references": ["https://cloud.google.com/armor"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1090", "attack_object_name": "Proxy", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only supports a subset of the sub-techniques (2 of 4) and because it only blocks known bad IP addresses and domains and does not protect against unknown ones.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1095", "attack_object_name": "Non-Application Layer Protocol", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "significant", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block malicious or unwanted traffic leveraging non-application layer protocols. Given this, the mapping is given a score of Significant.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. This provides significant protection against unauthorized users from accessing and manipulating accounts to retain access.", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "cloud_asset_inventory", "capability_description": "Cloud Asset Inventory", "mapping_type": "technique_scores", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "cloud_asset_inventory", "score_category": "detect", "score_value": "partial", "comments": "This control may be able to detect when adversaries use cloud accounts to elevate privileges through manipulation of IAM or access policies. This monitoring can be fine tuned to specific assets, policies, and organizations.", "references": ["https://cloud.google.com/asset-inventory/docs/overview"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert to ensure multi-factor authentication is enabled for all non-service and administrator accounts.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_multifactor_authentication.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "identity_and_access_management", "capability_description": "Identity and Access Management", "mapping_type": "technique_scores", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "identity_and_access_management", "score_category": "protect", "score_value": "partial", "comments": "Privileged roles and permissions can be granted to entire groups of users by default, and admins can control unwanted access by utilizing machine learning to recommend smart access control permissions within an organization. This control can  help mitigate adversaries from gaining access to unwanted account.", "references": ["https://cloud.google.com/iam"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "identity_platform", "score_category": "protect", "score_value": "significant", "comments": "Identity Platform can help protect your app's users and prevent account takeovers by offering multi-factor authentication (MFA) and integrating with Google's intelligence for account protection. This will help mitigate adversaries from gaining access to permission levels.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "comments": "Utilization and enforcement of MFA for user accounts to ensure that IAM policies are implemented properly shall mitigate adversaries so that they may not gain access to user accounts. Enforce the principle of least privilege by ensuring that principals have only the permissions that they actually need.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "resource_manager", "score_category": "protect", "score_value": "minimal", "comments": "GCP offers Identity and Access Management (IAM), which lets admins give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This allows configuration of access controls and firewalls to limit access to critical systems and domain controllers.", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "comments": "VPC further segments the environment by providing configurable granular access controls which help limit user communications to critical systems.", "references": ["https://cloud.google.com/vpc-service-controls/docs"]}, {"capability_id": "cloud_asset_inventory", "capability_description": "Cloud Asset Inventory", "mapping_type": "technique_scores", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "cloud_asset_inventory", "score_category": "detect", "score_value": "partial", "related_score": "T1098", "comments": "This control may be able to detect when adversaries use cloud accounts to elevate privileges through manipulation of IAM or access policies for the creation of additional accounts. This monitoring can be fine tuned to specific assets, policies, and organizations.", "references": ["https://cloud.google.com/asset-inventory/docs/overview"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1098", "comments": "Google Security Ops is able to trigger an alert based on changes to Cloud Storage IAM permissions.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_gcs_iam_changes.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "identity_and_access_management", "capability_description": "Identity and Access Management", "mapping_type": "technique_scores", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "identity_and_access_management", "score_category": "protect", "score_value": "partial", "related_score": "T1098", "comments": "Privileged roles and permissions can be granted to entire groups of users by default, and admins can control unwanted access by utilizing machine learning to recommend smart access control permissions within an organization. This control can  help mitigate adversaries from gaining access to unwanted account.", "references": ["https://cloud.google.com/iam"]}, {"capability_id": "identity_aware_proxy", "capability_description": "Identity Aware Proxy", "mapping_type": "technique_scores", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "identity_aware_proxy", "score_category": "detect", "score_value": "minimal", "related_score": "T1098", "comments": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. IAP lets you enforce access control policies for applications and resources. This control may help mitigate against adversaries gaining access through cloud account by the configuration of access controls and firewalls, allowing limited access to systems.", "references": ["https://cloud.google.com/iap"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "identity_platform", "score_category": "protect", "score_value": "significant", "related_score": "T1098", "comments": "Identity Platform can help protect your app's users and prevent account takeovers by offering multi-factor authentication (MFA) and integrating with Google's intelligence for account protection. This will help mitigate adversaries from gaining access to permission levels.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "related_score": "T1098", "comments": "Utilization and enforcement of MFA for user accounts to ensure that IAM policies are implemented properly shall mitigate adversaries so that they may not gain access to user accounts. Enforce the principle of least privilege by ensuring that principals have only the permissions that they actually need.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "resource_manager", "score_category": "protect", "score_value": "minimal", "related_score": "T1098", "comments": "GCP offers Identity and Access Management (IAM), which lets admins give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This allows configuration of access controls and firewalls to limit access to critical systems and domain controllers.", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1098", "comments": "SCC ingests Cloud Audit logs to detect when permissions are changed in a privileged group (i.e., modify group to public) with sensitive permissions or roles. This security solution protects against compromised cloud accounts used to maintain persistence. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "partial", "related_score": "T1098", "comments": "VPC further segments the environment by providing configurable granular access controls which help limit user permissions to communicate with critical systems.", "references": ["https://cloud.google.com/vpc-service-controls/docs"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1098.002", "attack_object_name": "Additional Email Delegate Permissions", "capability_group": "identity_platform", "score_category": "protect", "score_value": "significant", "related_score": "T1098", "comments": "Identity Platform can help protect your app's users and prevent account takeovers by offering multi-factor authentication (MFA) and integrating with Google's intelligence for account protection. This will help mitigate adversaries from gaining access to permission levels.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "identity_platform", "score_category": "protect", "score_value": "significant", "related_score": "T1098", "comments": "Identity Platform can help protect your app's users and prevent account takeovers by offering multi-factor authentication (MFA) and integrating with Google's intelligence for account protection. This will help mitigate adversaries from gaining access to permission levels.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1098.004", "attack_object_name": "SSH Authorized Keys", "capability_group": "identity_platform", "score_category": "protect", "score_value": "significant", "related_score": "T1098", "comments": "Identity Platform can help protect your app's users and prevent account takeovers by offering multi-factor authentication (MFA) and integrating with Google's intelligence for account protection. This will help mitigate adversaries from gaining access to permission levels via files.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1104", "attack_object_name": "Multi-Stage Channels", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block communication with known command and control channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known channels and not channels yet to be identified.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1105", "attack_object_name": "Ingress Tool Transfer", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based off suspicious system processes that could indicate tool transfer attempts using cURL from Windows machines (e.g., C:\\\\Windows\\\\System32\\\\curl.exe).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_curl_usage.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1105", "attack_object_name": "Ingress Tool Transfer", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "comments": "SCC uses machine learning [NLP techniques] to evaluate content of an executed bash script. This security solution protects against potentially malicious scripts that are used to transfer tools into a compromised environment and execute commands without binaries. Because of the high threat detection coverage provided by the ML model and near-real time temporal factor this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1106", "attack_object_name": "Native API", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert for suspicious events related to the API (e.g., \"API keys created for a project\"). \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_no_project_api_keys.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. This provides significant protection against Brute Force techniques attempting to gain access to accounts.", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "cloud_endpoints", "capability_description": "Cloud Endpoints", "mapping_type": "technique_scores", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "cloud_endpoints", "score_category": "protect", "score_value": "partial", "comments": "Cloud Endpoints allows administrators to set up login challenges, where a user attempting to access an API might be prompted to complete an additional verification step (like entering a code sent to their phone or answering a security question) before being granted access.", "references": ["https://cloud.google.com/endpoints/docs", "https://cloud.google.com/endpoints/docs/frameworks/python/migrating", "https://support.google.com/a/answer/1734200"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "significant", "comments": "This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "comments": "Often used by adversaries to gain access to a system, Palo Alto Network's vulnerability signature is able to detect multiple repetitive occurrences of a condition in a particular time that could indicate a brute force attack (e.g., failed logins).\n\nAlthough there are ways an attacker could brute force a system while avoiding detection, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "identity_platform", "score_category": "protect", "score_value": "significant", "comments": "Multi-factor authentication (MFA) methods, such as SMS, can also be used to help protect user accounts from phishing attacks. MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "comments": "SCC uses syslog to detect successful brute force attacks [via SSH] on a host. Because of the near-real time temporal factor when detecting cyber-attacks this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. This provides significant protection against Brute Force techniques attempting to gain access to accounts.", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "identity_platform", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Multi-factor authentication (MFA) methods, such as SMS, can also be used to help protect user accounts from phishing attacks. MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. This provides significant protection against Brute Force techniques attempting to gain access to accounts.", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "identity_platform", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Multi-factor authentication (MFA) methods, such as SMS, can also be used to help protect user accounts from phishing attacks. MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. This provides significant protection against Brute Force techniques attempting to gain access to accounts.", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "identity_platform", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Multi-factor authentication (MFA) methods, such as SMS, can also be used to help protect user accounts from phishing attacks. MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. This provides significant protection against Brute Force techniques attempting to gain access to accounts.", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "recaptcha_enterprise", "capability_description": "ReCAPTCHA Enterprise", "mapping_type": "technique_scores", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "recaptcha_enterprise", "score_category": "detect", "score_value": "significant", "related_score": "T1110", "comments": "Password Checkup extension for Chrome displays a warning whenever a user signs in to a site using one of over 4 billion usernames and passwords that Google knows to be unsafe due to a third-party data breach. With reCAPTCHA Enterprise, you can identify credential stuffing attacks by utilizing Password Checkup to detect password leaks and breached credentials. Developers can factor this information into their score calculation for score-based site keys to help identify suspicious activity and take appropriate action.\n", "references": ["https://cloud.google.com/recaptcha-enterprise"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1112", "attack_object_name": "Modify Registry", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on events of interest, such as: \"Command-line execution of the Windows Registry Editor\".\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/info/command_line_regedit.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1114", "attack_object_name": "Email Collection", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling MFA reduces the usefulness of usernames and passwords that may be collected via email since adversaries won't have the associated security keys to gain access.\n", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1127", "attack_object_name": "Trusted Developer Utilities Proxy Execution", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops triggers an alert based on common command line arguments used by adversaries to proxy execution of code through trusted utilities.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/detection_of_winrs_usage.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1127.001", "attack_object_name": "MSBuild", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1127", "comments": "Google Security Ops triggers an alert based on common command line arguments for msbuild.exe which is used by adversaries to execute code through a trusted Windows utility.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/mixed_other/security/possible_msbuild_abuse__via_cmdline.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1132", "attack_object_name": "Data Encoding", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on known indicators used by the adversary, such as data encoding techniques.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/windows/powershell_encoded_command__sysmon.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/emotet_process_creation.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1132.001", "attack_object_name": "Standard Encoding", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1132", "comments": "Google Security Ops is able to trigger an alert based on known indicators used by the adversary, such as data encoding techniques for commands &/or C&C traffic.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_powershell_parameter_substring.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling MFA for remote service accounts can mitigate an adversary's ability to leverage stolen credentials since they won't have the respective security key to gain access.\n", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "chrome_enterprise_premium", "capability_description": "Chrome Enterprise Premium", "mapping_type": "technique_scores", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "chrome_enterprise_premium", "score_category": "protect", "score_value": "partial", "comments": "Chrome Enterprise Premium implements a zero trust model which restricts access to resources unless all rules and conditions are met. Instead of securing resources at the network-level, access controls are instead applied to individual devices and users.", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "minimal", "comments": "This control may mitigate an adversary's ability to leverage external-facing remote services through multi-factor authentication of service account credentials.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to only allow certain remote services to be available. Furthermore, it can enforce restrictions such that remote services are only from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because while it can limit which external remote services and hosts can be used to access the network, it cannot protect against the misuse of legitimate external remote services (e.g., it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack).", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "cloud_vpn", "capability_description": "Cloud VPN", "mapping_type": "technique_scores", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "cloud_vpn", "score_category": "protect", "score_value": "partial", "comments": "This control provides protections against adversaries who try to access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. ", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "comments": "SCC is able to detect attackers communicating with a compromised workload from a remote system (e.g., \"reverse shell\"). SCC specifically detects for stdin bound to a remote socket. Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1134", "attack_object_name": "Access Token Manipulation", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on modifications to user access controls.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/sysmon/suspicious_command_line_contains_azure_tokencache_dat_as_argument__via_cmdline.yaral\n\n\n\n", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1134.005", "attack_object_name": "SID-History Injection", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1134", "comments": "Google Security Ops is able to trigger an alert based on successful and failed changes to SID-History. \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/active_directory_security/windows/addition_of_sid_history_to_active_directory_object.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1135", "attack_object_name": "Network Share Discovery", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "comments": "VPC security perimeters can limit the impact from active scanning and lateral movement techniques used to exploit the target environment.", "references": ["https://cloud.google.com/vpc-service-controls/docs"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1136", "attack_object_name": "Create Account", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Enabling Advanced Protection Program for all users at an organization can prevent adversaries from maintaining access via created accounts because any accounts they create won't have the required security keys for MFA.\n", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1136", "attack_object_name": "Create Account", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger based on suspicious system event logs, such as newly created local user accounts on Windows machines.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detects_local_user_creation.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1136", "attack_object_name": "Create Account", "capability_group": "identity_platform", "score_category": "protect", "score_value": "significant", "comments": "Identity Platform multi-tenancy uses tenants to create unique silos of users and configurations within a single Identity Platform project. It provides provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform; thereby, helping to mitigate adversaries from gaining access to systems.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1136.001", "attack_object_name": "Local Account", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1136", "comments": "Google Security Ops is able to trigger based on suspicious system event logs, such as newly created local user accounts in Windows AD environments (e.g., event 4720).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detects_local_user_creation.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1136.001", "attack_object_name": "Local Account", "capability_group": "identity_platform", "score_category": "protect", "score_value": "significant", "related_score": "T1136", "comments": "Identity Platform multi-tenancy uses tenants to create unique silos of users and configurations within a single Identity Platform project. It provides provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform; thereby, helping to mitigate adversaries from gaining access to systems and accounts.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1136.002", "attack_object_name": "Domain Account", "capability_group": "identity_platform", "score_category": "protect", "score_value": "significant", "related_score": "T1136", "comments": "Identity Platform multi-tenancy uses tenants to create unique silos of users and configurations within a single Identity Platform project. It provides provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform; thereby, helping to mitigate adversaries from gaining access to systems.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1136.003", "attack_object_name": "Cloud Account", "capability_group": "identity_platform", "score_category": "protect", "score_value": "significant", "related_score": "T1136", "comments": "Identity Platform multi-tenancy uses tenants to create unique silos of users and configurations within a single Identity Platform project. It provides provides secure, easy-to-use authentication if you're building a service on Google Cloud, on your own backend or on another platform; thereby, helping to mitigate adversaries from gaining access to systems.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "recaptcha_enterprise", "capability_description": "ReCAPTCHA Enterprise", "mapping_type": "technique_scores", "attack_object_id": "T1136.003", "attack_object_name": "Cloud Account", "capability_group": "recaptcha_enterprise", "score_category": "protect", "score_value": "partial", "related_score": "T1136", "comments": "ReCAPTCHA Enterprise can implement a number of mitigations to prevent the automated creation of multiple accounts such as adding checkbox challenges on pages where end users need to enter their credentials and assessing user activity for potential misuses on all pages where accounts are created.\n\nSince this control doesn't prevent the manual creation of accounts, it has been given a rating of Partial.\n", "references": ["https://cloud.google.com/recaptcha-enterprise"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1136.003", "attack_object_name": "Cloud Account", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1136", "comments": "SCC ingests admin activity from Cloud Audit logs to detect when new service accounts are created. This security solution protects against potential adversary generated accounts used for initial access or to maintain persistence. Because of the temporal factor to detect this attack the control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1137", "attack_object_name": "Office Application Startup", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "comments": "Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office files (e.g., DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX).\n\nAlthough there are ways an attacker could modify the signature and deliver a malicious office file, this technique was scored as significant based on  Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1137", "attack_object_name": "Office Application Startup", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based off suspicious  system processes, for example: command line executable started from Microsoft's Office-based applications.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_starup_folder_persistance.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/office_applications_suspicious_process_activity.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1137.001", "attack_object_name": "Office Template Macros", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "related_score": "T1137", "comments": "Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office templates\n\nAlthough there are ways an attacker could deliver a malicious template, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1137.001", "attack_object_name": "Office Template Macros", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1137", "comments": "Google Security Ops is able to trigger an alert based off suspicious  system processes, for example: detects Windows command line executable started from Microsoft's Word or Excel (e.g.., \".*\\\\WINWORD\\.EXE\", \".*\\\\EXCEL\\.EXE\"). \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/office_macro_starts_cmd.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1137.006", "attack_object_name": "Add-ins", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "related_score": "T1137", "comments": "Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office add-ins.\n\nAlthough there are ways an attacker could deliver a malicious file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1187", "attack_object_name": "Forced Authentication", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "significant", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block SMB and WebDAV traffic from exiting the network which can protect against adversaries from forcing authentication over SMB and WebDAV. This mapping is given a score of Significant because Cloud NGFW can block this traffic or restrict where it can go to.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "chrome_enterprise_premium", "capability_description": "Chrome Enterprise Premium", "mapping_type": "technique_scores", "attack_object_id": "T1189", "attack_object_name": "Drive-by Compromise", "capability_group": "chrome_enterprise_premium", "score_category": "protect", "score_value": "partial", "comments": "Chrome Enterprise Premium offers sadditional protections against compromised websites by including features like URL filtering, threat detection, and data loss prevention (DLP) controls.", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"]}, {"capability_id": "artifact_analysis", "capability_description": "Artifact Analysis", "mapping_type": "technique_scores", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "artifact_analysis", "score_category": "protect", "score_value": "partial", "comments": "Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in various Linux OS packages. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and is not effective against zero day attacks, vulnerabilities with no available patch, and other end-of-life packages.", "references": ["https://cloud.google.com/artifact-analysis/docs/artifact-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview", "https://cloud.google.com/container-registry/docs/container-analysis"]}, {"capability_id": "cloud_armor", "capability_description": "Cloud Armor", "mapping_type": "technique_scores", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "cloud_armor", "score_category": "protect", "score_value": "significant", "comments": "Google Cloud Armor security policies protect your application by providing Layer 7 filtering and by scrubbing incoming requests for common web attacks or other Layer 7 attributes. Google Cloud Armor detects malicious requests and drops them at the edge of Google's infrastructure.", "references": ["https://cloud.google.com/armor"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "comments": "Often used by adversaries to take advantage of software weaknesses in web applications, Palo Alto Network's vulnerability signatures are able to detect SQL-injection attacks that attempt to read or modify a system database using common web hacking techniques (e.g., OWASP top 10).\n\nAlthough there are ways an attacker could leverage web application weaknesses to affect the sensitive data and databases, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops triggers an alert based on suspicious behavior, such as exploitation attempts against web servers and/or applications (e.g., F5 BIG-IP CVE 2020-5902).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/big_ip/possible_f5_big_ip_tmui_attack_cve_2020_5902_part_1.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/big_ip/possible_f5_big_ip_tmui_attack_cve_2020_5902_part_2.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "identity_aware_proxy", "capability_description": "Identity Aware Proxy", "mapping_type": "technique_scores", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "identity_aware_proxy", "score_category": "protect", "score_value": "partial", "comments": "When an application or resource is protected by IAP, it can only be accessed through the proxy by principals, also known as users, who have the correct Identity and Access Management (IAM) role. IAP secures authentication and authorization of all requests to App Engine, Cloud Load Balancing (HTTPS), or internal HTTP load balancing.\n\nWith adversaries that may try to attempt malicious activity via applications, the application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.", "references": ["https://cloud.google.com/iap"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "comments": "Using Web Security Scanner, SCC is able to detect and provide guidance for web application security risks (e.g., Cross-Site Scripting, SQL injection, Server Side Request Forgery, Insecure Deserialization). Adversaries may exploit these web app weaknesses in a cloud-based environment to compromise the underlying instance or container. This technique was graded as significant due to the high detect coverage against varying forms of this attack.  ", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "vm_manager", "capability_description": "VM Manager", "mapping_type": "technique_scores", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "vm_manager", "score_category": "protect", "score_value": "partial", "comments": "VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.", "references": ["https://cloud.google.com/compute/docs/vm-manager"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "comments": "VPC security perimeters can segment private resources to further reduce user access and operate in a logically separate hosting environment.", "references": ["https://cloud.google.com/vpc-service-controls/docs"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1195", "attack_object_name": "Supply Chain Compromise", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger alerts based on unusual file write events by 3rd party software, specifically SolarWinds executable.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/file_event/unusual_solarwinds_file_creation__via_filewrite.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/suspicious/unusual_location_svchost_write.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1195.002", "attack_object_name": "Compromise Software Supply Chain", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1195", "comments": "Google Security Ops is able to trigger an alert based on unusual file write events by 3rd party software (e.g., SolarWinds executable \".*\\\\solarwinds\\.businesslayerhost\\.exe\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/file_event/unusual_solarwinds_file_creation__via_filewrite.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/security/unusual_solarwinds_child_process__via_cmdline.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "access_transparency", "capability_description": "Access Transparency", "mapping_type": "technique_scores", "attack_object_id": "T1199", "attack_object_name": "Trusted Relationship", "capability_group": "access_transparency", "score_category": "detect", "score_value": "minimal", "comments": "Access Transparency provides visibility into Google's access to customer data in the form of audit logs which may expose and detect malicious access of customer data and resources by compromised Google personnel accounts. The trusted relationship between Google personnel who administer and allow customers to host their workloads on the cloud may be abused by insider threats or compromise of Google.", "references": ["https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/overview"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1202", "attack_object_name": "Indirect Command Execution", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based off suspicious  event IDs that indicate adversary's abuse of Windows system utilities to perform indirect command-line arguments or code execution. For example: malicious usage of bash.exe using Windows sub-system for Linux (e.g., WSL).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/lolbas_wsl_exe__via_cmdline.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "artifact_analysis", "capability_description": "Artifact Analysis", "mapping_type": "technique_scores", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "artifact_analysis", "score_category": "protect", "score_value": "partial", "comments": "Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in various Linux OS packages. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and is not effective against zero day attacks, vulnerabilities with no available patch, and other end-of-life packages.", "references": ["https://cloud.google.com/artifact-analysis/docs/artifact-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview", "https://cloud.google.com/container-registry/docs/container-analysis"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on Antivirus notifications that report an exploitation framework (e.g., Metapreter, Metasploit, Powersploit).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detect_service_creation_by_metasploit_on_victim_machine.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/proxy/exploit_framework_user_agent.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "vm_manager", "capability_description": "VM Manager", "mapping_type": "technique_scores", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "vm_manager", "score_category": "protect", "score_value": "partial", "comments": "VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.", "references": ["https://cloud.google.com/compute/docs/vm-manager"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on suspicious user activity (e.g., clicking on a malicious links).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor. \n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/proxy/microsoft_teams_phishing_email.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/detect_possible_execution_of_phishing_attachment.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "web_risk", "capability_description": "Web Risk", "mapping_type": "technique_scores", "attack_object_id": "T1204.001", "attack_object_name": "Malicious Link", "capability_group": "web_risk", "score_category": "protect", "score_value": "partial", "related_score": "T1204", "comments": "Web Risk allows client applications to check URLs against Google's list of unsafe web resources. It also can provide warnings when attempting to access potentially unsafe sites. However, Google cannot guarantee that its information is comprehensive and error-free: some risky sites may not be identified, and some safe sites may be classified in error. This has resulted in an overall score of Partial.", "references": ["https://cloud.google.com/web-risk/docs/overview"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1204.002", "attack_object_name": "Malicious File", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "related_score": "T1204", "comments": "Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in portable document formats (PDF).\n\nAlthough there are ways an attacker could modify the signature and deliver a malicious file, this technique was scored as significant based on  Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "binary_authorization", "capability_description": "Binary Authorization", "mapping_type": "technique_scores", "attack_object_id": "T1204.003", "attack_object_name": "Malicious Image", "capability_group": "binary_authorization", "score_category": "protect", "score_value": "significant", "related_score": "T1204", "comments": "Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1204.003", "attack_object_name": "Malicious Image", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "related_score": "T1204", "comments": "Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect download attempts or traffic generated from malicious programs designed to mine cryptocurrency without the user's knowledge.\n\nAlthough there are ways an attacker could modify the attack to avoid detection, this technique was scored as significant based on  Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these crypto-mining  attacks", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1204.003", "attack_object_name": "Malicious Image", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1204", "comments": "SCC is able to detect a potentially malicious binary being executed that was not part of the original container image. Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1205", "attack_object_name": "Traffic Signaling", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic to unused ports from reaching hosts on the network which may help protect against traffic signaling from external systems. This mapping is given a score of partial because the Cloud NGFW does not do anything to protect against traffic signaling among hosts within the network and behind the firewall.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "artifact_analysis", "capability_description": "Artifact Analysis", "mapping_type": "technique_scores", "attack_object_id": "T1210", "attack_object_name": "Exploitation of Remote Services", "capability_group": "artifact_analysis", "score_category": "protect", "score_value": "partial", "comments": "Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in various Linux OS packages. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and is not effective against zero day attacks, vulnerabilities with no available patch, and other end-of-life packages.", "references": ["https://cloud.google.com/artifact-analysis/docs/artifact-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview", "https://cloud.google.com/container-registry/docs/container-analysis"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1210", "attack_object_name": "Exploitation of Remote Services", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on suspicious system events IDs (e.g., anonymous users changing machine passwords). \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/security/anonymous_user_changed_machine_password.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "vm_manager", "capability_description": "VM Manager", "mapping_type": "technique_scores", "attack_object_id": "T1210", "attack_object_name": "Exploitation of Remote Services", "capability_group": "vm_manager", "score_category": "protect", "score_value": "partial", "comments": "VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.", "references": ["https://cloud.google.com/compute/docs/vm-manager"]}, {"capability_id": "artifact_analysis", "capability_description": "Artifact Analysis", "mapping_type": "technique_scores", "attack_object_id": "T1211", "attack_object_name": "Exploitation for Defense Evasion", "capability_group": "artifact_analysis", "score_category": "protect", "score_value": "partial", "comments": "Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect variations to store system packages and images stored in the repository, which adversaries may target to establish persistence while evading cyber defenses.", "references": ["https://cloud.google.com/artifact-analysis/docs/artifact-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview", "https://cloud.google.com/container-registry/docs/container-analysis"]}, {"capability_id": "vm_manager", "capability_description": "VM Manager", "mapping_type": "technique_scores", "attack_object_id": "T1211", "attack_object_name": "Exploitation for Defense Evasion", "capability_group": "vm_manager", "score_category": "protect", "score_value": "partial", "comments": "VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.", "references": ["https://cloud.google.com/compute/docs/vm-manager"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1212", "attack_object_name": "Exploitation for Credential Access", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops triggers alerts based on credential exploit attempts (e.g., read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear-text)).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/webserver/cve_2018_13379_fortigate_ssl_vpn_arbitrary_file_reading.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1212", "attack_object_name": "Exploitation for Credential Access", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "comments": "Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to perform privilege escalation via permission levels and software exploitation.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "vm_manager", "capability_description": "VM Manager", "mapping_type": "technique_scores", "attack_object_id": "T1212", "attack_object_name": "Exploitation for Credential Access", "capability_group": "vm_manager", "score_category": "protect", "score_value": "partial", "comments": "VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.", "references": ["https://cloud.google.com/compute/docs/vm-manager"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1213", "attack_object_name": "Data from Information Repositories", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "partial", "comments": "MFA and enforcing the principal of least privilege can be used to control adversaries and possibly hinder them from gaining access to a victim network or a private code repository.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "cloud_identity", "capability_description": "Cloud Identity", "mapping_type": "technique_scores", "attack_object_id": "T1213.003", "attack_object_name": "Code Repositories", "capability_group": "cloud_identity", "score_category": "protect", "score_value": "partial", "related_score": "T1213", "comments": "MFA and enforcing the principal of least privilege can be used to control adversaries and possibly hinder them from gaining access to a victim network or a private code repository.", "references": ["https://cloud.google.com/identity"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1213.003", "attack_object_name": "Code Repositories", "capability_group": "security_command_center", "score_category": "protect", "score_value": "significant", "related_score": "T1213", "comments": "Using Web Security Scanner, SCC is able to detect repositories (e.g., Git or SVN) that are exposed to the public. Adversaries may use this lapse in security configuration to collect information about the target. Because of the near-real time temporal factor to detect against this cyber-attack this was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1218", "attack_object_name": "System Binary Proxy Execution", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on attempts to evade defenses, such as: bypass execution of digitally signed binaries.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1218.003", "attack_object_name": "CMSTP", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1218", "comments": "Google Security Ops is able to trigger an alert when adversaries attempt to abuse Microsoft's Connection Manager Profile Installer to proxy the execution of malicious code.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/cmstp_exe_execution_detector__sysmon_behavior.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1218.005", "attack_object_name": "Mshta", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1218", "comments": "Google Security Ops is able to trigger an alert based on using MSHTA to call a remote HTML application on Windows (e.g., \"mshta.+http\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1218_005_windows_mshta_remote_usage.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/windows/mshta_spwaned_by_svchost_as_seen_in_lethalhta__sysmon.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1218.010", "attack_object_name": "Regsvr32", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1218", "comments": "Google Security Ops is able to trigger an alert based on suspicious behavior in Windows with the use of regsvr32.exe and a possible fileless attack via this executable.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/ole_controls_registered_via_regsvr32_exe__sysmon_behavior.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/fileless_attack_via_regsvr32_exe.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1219", "attack_object_name": "Remote Access Software", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to only allow remote access software from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote access software traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote access software as part of an attack.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1221", "attack_object_name": "Template Injection", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "comments": "Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in executables and Microsoft Office file templates (e.g., DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX).\n\nAlthough there are ways an attacker could modify the known attack signature to avoid detection, this technique was scored as significant based on  Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1222", "attack_object_name": "File and Directory Permissions Modification", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "comments": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. Enforcing the principle of least privilege through Policy Intelligence role recommendations generated by IAM Recommender help admins identify and remove excess permissions from users' principals, improving their resources' security configurations.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1484", "attack_object_name": "Domain or Tenant Policy Modification", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based off suspicious system events, such as modifications to Windows password policies (event ID 643 or 4739). \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detect_windows_password_policy_changes.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1484", "attack_object_name": "Domain or Tenant Policy Modification", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "comments": "SCC ingests admin activity from Cloud Audit logs to detect when an external member is added to a privileged group with sensitive permissions or roles. This security solution protects against adversary created accounts used to establish or maintain persistence. Because of the temporal factor to detect this attack, the control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "backup_and_dr_actifiogo", "capability_description": "Backup and DR-Actifio GO", "mapping_type": "technique_scores", "attack_object_id": "T1485", "attack_object_name": "Data Destruction", "capability_group": "backup_and_dr_actifiogo", "score_category": "respond", "score_value": "significant", "comments": "Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to a Data Destruction event since an organization could easily restore lost data back to the latest backup.", "references": ["https://cloud.google.com/backup-disaster-recovery/docs/configuration/cbb", "https://cloud.google.com/backup-disaster-recovery"]}, {"capability_id": "backup_and_dr_actifiogo", "capability_description": "Backup and DR-Actifio GO", "mapping_type": "technique_scores", "attack_object_id": "T1486", "attack_object_name": "Data Encrypted for Impact", "capability_group": "backup_and_dr_actifiogo", "score_category": "respond", "score_value": "significant", "comments": "Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to an adversary maliciously encrypting system data since an organization could restore data back to the latest backup.", "references": ["https://cloud.google.com/backup-disaster-recovery/docs/configuration/cbb", "https://cloud.google.com/backup-disaster-recovery"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1486", "attack_object_name": "Data Encrypted for Impact", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on suspicious events related to ransomware campaigns (e.g., $selection.target.file.md5 = \"0c3ef20ede53efbe5eebca50171a589731a17037147102838bdb4a41c33f94e5\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/sysmon/darkgate_cryptocurrency_mining_and_ransomware_campaign__sysmon.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/windows/formbook_malware__sysmon.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "backup_and_dr_actifiogo", "capability_description": "Backup and DR-Actifio GO", "mapping_type": "technique_scores", "attack_object_id": "T1490", "attack_object_name": "Inhibit System Recovery", "capability_group": "backup_and_dr_actifiogo", "score_category": "respond", "score_value": "significant", "comments": "Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to an adversary deleting or removing built-in operating system data and services since an organization could restore system and services back to the latest backup.", "references": ["https://cloud.google.com/backup-disaster-recovery/docs/configuration/cbb", "https://cloud.google.com/backup-disaster-recovery"]}, {"capability_id": "backup_and_dr_actifiogo", "capability_description": "Backup and DR-Actifio GO", "mapping_type": "technique_scores", "attack_object_id": "T1491", "attack_object_name": "Defacement", "capability_group": "backup_and_dr_actifiogo", "score_category": "respond", "score_value": "significant", "comments": "Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to Defacement since an organization could easily restore defaced images back to the latest backup.", "references": ["https://cloud.google.com/backup-disaster-recovery/docs/configuration/cbb", "https://cloud.google.com/backup-disaster-recovery"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1495", "attack_object_name": "Firmware Corruption", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based off suspicious  logs that could indicate tampering with the component's firmware (e.g., detects driver load from a temporary directory).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_driver_load_from_temp.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1496", "attack_object_name": "Resource Hijacking", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "comments": "SCC detect compromised hosts that attempt to connect to known malicious crypto-mining domains and IP addresses. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1497", "attack_object_name": "Virtualization/Sandbox Evasion", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based off suspicious system events that may indicate an adversary's attempt to check for the presence of security tools (e.g., Sysinternals).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/usage_of_sysinternals_tools.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_armor", "capability_description": "Cloud Armor", "mapping_type": "technique_scores", "attack_object_id": "T1498", "attack_object_name": "Network Denial of Service", "capability_group": "cloud_armor", "score_category": "protect", "score_value": "significant", "comments": "Google Cloud Armor provides always-on DDoS protection against network or protocol-based volumetric DDoS attacks. It allows users to allow/deny traffic at the Google Cloud edge, closest to the source of traffic. This prevents unwelcome traffic from consuming resources.", "references": ["https://cloud.google.com/armor"]}, {"capability_id": "cloud_cdn", "capability_description": "Cloud CDN", "mapping_type": "technique_scores", "attack_object_id": "T1498", "attack_object_name": "Network Denial of Service", "capability_group": "cloud_cdn", "score_category": "protect", "score_value": "partial", "comments": "Cloud CDN acts as a proxy between clients and origin servers. Cloud CDN can distribute requests for cacheable content across multiple points-of-presence (POPs), thereby providing a larger set of locations to absorb a DOS attack.\n\nHowever, Cloud CDN doesn't provide protection against DOS attacks for uncached content.", "references": ["https://cloud.google.com/cdn/docs/overview"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1498", "attack_object_name": "Network Denial of Service", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "minimal", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block the sources of smaller-scale network denial of service attacks. While Cloud NGFW support both sub-techniques (2 of 2), this mapping is given a score of Minimal because often times it is necessary to block the traffic at an Internet Service Provider or Content Provider Network level.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "cloud_armor", "capability_description": "Cloud Armor", "mapping_type": "technique_scores", "attack_object_id": "T1499", "attack_object_name": "Endpoint Denial of Service", "capability_group": "cloud_armor", "score_category": "protect", "score_value": "significant", "comments": "Google Cloud Armor provides always-on DDoS protection against network or protocol-based volumetric DDoS attacks. It allows users to allow/deny traffic at the Google Cloud edge, closest to the source of traffic. This prevents unwelcome traffic from consuming resources.", "references": ["https://cloud.google.com/armor"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1499", "attack_object_name": "Endpoint Denial of Service", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "comments": "Often used by adversaries to affect availability and deprive legitimate user access, Palo Alto Network's vulnerability signatures are able to detect denial-of-service (DoS) attacks that attempt to render a target system unavailable by flooding the resources with traffic.\n\nThis technique was scored as significant based on  Palo Alto Network's advanced threat detection technology which constantly updates to detect against a variety of denial-of-service attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1499", "attack_object_name": "Endpoint Denial of Service", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from carrying out denial of service attacks by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists) as well as which protocol traffic is permitted. That is, Cloud NGFW could block the source of the denial-of-service attack. This mapping is given a score of Partial because it only supports a subset of the sub-techniques (3 of 4) and because the source of the attack would have to be known before rules could be put in place to protect against it.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1499.003", "attack_object_name": "Application Exhaustion Flood", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "related_score": "T1499", "comments": "Often used by adversaries to affect availability and deprive legitimate user access, Palo Alto Network's vulnerability signatures are able to detect denial-of-service (DoS) attacks that attempt to crash a target system by flooding it with application traffic.\n\nThis technique was scored as significant based on  Palo Alto Network's advanced threat detection technology which constantly updates to detect against variations of these cyber-attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1505", "attack_object_name": "Server Software Component", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger alerts based off suspicious events and command line arguments that could indicate an adversary tampering with system components.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/detection_of_com_hijacking.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1505.001", "attack_object_name": "SQL Stored Procedures", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1505", "comments": "SCC ingests MySQL/PostgreSQL/SQL Server data access logs to track cloud sql instances that are backed-up outside the organization. This security solution detects potential database exfiltration attacks that were attempted and completed to an external resource. Because of the near-real time temporal factor this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1505.003", "attack_object_name": "Web Shell", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "related_score": "T1505", "comments": "Often used by adversaries to establish persistence, Palo Alto Network's threat signatures is able to detect programs that use an internet connection to provide remote access to a compromised internal system.\n\nAlthough there are multiple ways an attacker could establish unauthorized remote access to a compromised system, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against variations of these cyber-attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1505.003", "attack_object_name": "Web Shell", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1505", "comments": "Google Security Ops triggers an alert based on webshell connections which are used to establish persistent access to a compromised machine [backdoor]. \n\nFor example: Detect webshell dropped into a keystore folder on the WebLogic server (`.*/config/keystore/.*\\.js.*).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/proactive_exploit_detection/webserver/oracle_weblogic_exploit.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1505.003", "attack_object_name": "Web Shell", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1505", "comments": "SCC is able to detect attackers communicating with a compromised workload from a remote system (e.g., \"web shell\"). Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "binary_authorization", "capability_description": "Binary Authorization", "mapping_type": "technique_scores", "attack_object_id": "T1525", "attack_object_name": "Implant Internal Image", "capability_group": "binary_authorization", "score_category": "protect", "score_value": "significant", "comments": "Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"]}, {"capability_id": "gke_enterprise", "capability_description": "GKE Enterprise", "mapping_type": "technique_scores", "attack_object_id": "T1525", "attack_object_name": "Implant Internal Image", "capability_group": "gke_enterprise", "score_category": "protect", "score_value": "partial", "comments": "GKE Enterprise incorporates the Anthos Config Management feature to prevent configuration drift with continuous monitoring of your cluster state, using the declarative model to apply policies that enforce compliance. This control can periodically check the integrity of images and containers used in cloud deployments to ensure that adversaries cannot implant malicious code to gain access to an environment. ", "references": ["https://cloud.google.com/kubernetes-engine/enterprise/docs"]}, {"capability_id": "google_kubernetes_engine", "capability_description": "Google Kubernetes Engine", "mapping_type": "technique_scores", "attack_object_id": "T1525", "attack_object_name": "Implant Internal Image", "capability_group": "google_kubernetes_engine", "score_category": "detect", "score_value": "partial", "comments": "After scanning for vulnerabilities, this control may alert personnel of tampered container images that could be running in a Kubernetes cluster.", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1525", "attack_object_name": "Implant Internal Image", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "comments": "SCC is able to detect modifications that were not not part of the original container image. Because of the high threat detection coverage and near-real time temporal factor this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "cloud_key_management", "capability_description": "Cloud Key Management", "mapping_type": "technique_scores", "attack_object_id": "T1528", "attack_object_name": "Steal Application Access Token", "capability_group": "cloud_key_management", "score_category": "protect", "score_value": "partial", "comments": "Provides protection against attackers stealing application access tokens if they are stored within Cloud KMS.", "references": ["https://cloud.google.com/security-key-management"]}, {"capability_id": "identity_aware_proxy", "capability_description": "Identity Aware Proxy", "mapping_type": "technique_scores", "attack_object_id": "T1528", "attack_object_name": "Steal Application Access Token", "capability_group": "identity_aware_proxy", "score_category": "protect", "score_value": "minimal", "comments": "This control may mitigate application access token theft if the application is configured to retrieve temporary security credentials using an IAM role.", "references": ["https://cloud.google.com/iap"]}, {"capability_id": "identity_aware_proxy", "capability_description": "Identity Aware Proxy", "mapping_type": "technique_scores", "attack_object_id": "T1528", "attack_object_name": "Steal Application Access Token", "capability_group": "identity_aware_proxy", "score_category": "detect", "score_value": "partial", "comments": "Control can detect potentially malicious applications", "references": ["https://cloud.google.com/iap"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1528", "attack_object_name": "Steal Application Access Token", "capability_group": "identity_platform", "score_category": "protect", "score_value": "minimal", "comments": "Identity Platform integrates tightly with Google Cloud services, and it leverages industry standards like OAuth 2.0 and OpenID Connect, so it can be easily integrated with your custom backend. This control may mitigate application access token theft if the application is configured to retrieve temporary security credentials using an IAM role.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "secret_manager", "capability_description": "Secret Manager", "mapping_type": "technique_scores", "attack_object_id": "T1528", "attack_object_name": "Steal Application Access Token", "capability_group": "secret_manager", "score_category": "protect", "score_value": "partial", "comments": "This control can provide protection against attackers stealing application access tokens if they are stored within Secret Manager. Secret Manager significantly raises the bar for access of stored tokens by requiring legitimate credentials with proper authorization. Applications may have to be modified to take advantage of Secret Manager and may not always be possible to utilize. ", "references": ["https://cloud.google.com/secret-manager/docs/overview"]}, {"capability_id": "access_transparency", "capability_description": "Access Transparency", "mapping_type": "technique_scores", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "access_transparency", "score_category": "detect", "score_value": "minimal", "comments": "Access Transparency provides visibility into Google's access to customer data in the form of audit logs. This may expose and detect malicious access of data from cloud storage by compromised Google personnel accounts.", "references": ["https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/overview"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Restricting access via MFA provides significant protection against adversaries accessing data objects from cloud storage.\n", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "chrome_enterprise_premium", "capability_description": "Chrome Enterprise Premium", "mapping_type": "technique_scores", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "chrome_enterprise_premium", "score_category": "protect", "score_value": "significant", "comments": "Chrome Enterprise Premium Access Context Manager allows organizations to manage and control access to sensitive content and applications based on user identity, device context, and other factors, essentially acting as a cloud-based content access manager with granular control capabilities.", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from accessing resources such as cloud storage objects by implementing restrictions on which IP addresses and domains can access the resources (e.g., allow lists). However, since cloud storage objects are located outside the virtual private cloud where Cloud NGFW protect, the mapping is only given a score of Partial.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "cloud_storage", "capability_description": "Cloud Storage", "mapping_type": "technique_scores", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "cloud_storage", "score_category": "protect", "score_value": "significant", "comments": "The cloud service provider's default encryption setting for data stored and written to disk in the cloud may protect against adversary's attempt to access data from improperly secured cloud storage. This technique was rated as significant due to the high protect coverage factor.", "references": ["https://cloud.google.com/storage/docs/encryption", "https://cloud.google.com/storage"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert to notify personnel of GCP resources (e.g., storage buckets) that are publicly accessible to unauthenticated users. \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/main/gcp_cloudaudit/gcp_gcs_public_accessible.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "comments": "Policy Intelligence role recommendations generated by IAM Recommender can compare the permissions that each principal used during the past 90 days with the total permissions the principal has. This can be used to limit the permissions associated with creating and modifying platform images or containers that adversaries may try to access.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "policy_intelligence", "score_category": "detect", "score_value": "minimal", "comments": "Adversaries may attempt to implant cloud or container images with malicious code to gain access to an environment. The IAM audit logs can be used to receive data access and activity logs who has accessed to certain resources.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "security_command_center", "score_category": "detect", "score_value": "partial", "comments": "SCC detect suspicious activity when accessing cloud storage objects (e.g.,  new IPs accessing storage objects or enumeration from unfamiliar user identities). Because of the real time temporal factor when detecting access to secure storage objects this control was graded as partial.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "sensitive_data_protection", "capability_description": "Sensitive Data Protection ", "mapping_type": "technique_scores", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "sensitive_data_protection", "score_category": "protect", "score_value": "partial", "comments": "This control is able to scan cloud storage objects for sensitive data and transform that data into a secure or nonsensitive form. It is able to scan for a variety of common sensitive data types, such as API keys, credentials, or credit card numbers. This control is able to be scheduled daily, weekly, etc and can scan new changes to data. This control is able to scan Google Cloud Storage, BigQuery tables, and Datastore. ", "references": ["https://cloud.google.com/sensitive-data-protection/docs"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "comments": "This control may mitigate against access to cloud storage objects by limiting access to accounts and services contained within the VPC network perimeter that contains those cloud storage objects. ", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1537", "attack_object_name": "Transfer Data to Cloud Account", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "comments": "This control may mitigate against exfiltration attempts to external cloud accounts by limiting egress of data from accounts and services contained within the VPC network perimeter. ", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1538", "attack_object_name": "Cloud Service Dashboard", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "comments": "This control may limit the number of users that have privileges to discover cloud infrastructure and may limit the discovery value of the dashboard in the event of a compromised account.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1542", "attack_object_name": "Pre-OS Boot", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "minimal", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic over known TFTP ports. This mapping is given a score of Minimal because Cloud NGFW only support a subset of sub-techniques (1 of 5) and don't do anything to protect against TFTP booting among hosts within the network and behind the firewall.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1542", "attack_object_name": "Pre-OS Boot", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "comments": "SCC is able to detect when secure boot is not enabled. Adversaries may use this weakness to abuse pre-boot mechanisms and persist on compromised systems. This technique was graded as significant due to the high detect coverage and near real-time temporal factor.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "shielded_vm", "capability_description": "Shielded VM", "mapping_type": "technique_scores", "attack_object_id": "T1542", "attack_object_name": "Pre-OS Boot", "capability_group": "shielded_vm", "score_category": "protect", "score_value": "significant", "comments": "This control is able to mitigate malicious modification of any portion of the pre-os boot process through a combination of Secure Boot to verify signatures of firmware, Measured Boot to establish a known good boot baseline, and Integrity Monitoring to measure subsequent boots to previously established baselines. ", "references": ["https://cloud.google.com/compute/shielded-vm/docs/shielded-vm"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1542.003", "attack_object_name": "Bootkit", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1542", "comments": "SCC is able to detect when secure boot is not enabled. Adversaries may use this weakness to abuse pre-boot mechanisms and persist on compromised systems (e.g., bootkit). This technique was graded as significant due to the high detect coverage and near real-time temporal factor.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1543", "attack_object_name": "Create or Modify System Process", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on creation or modification to system-level processes on Windows machines.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_process_creation.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1543.001", "attack_object_name": "Launch Agent", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1543", "comments": "Google Security Ops is able to trigger an alert based on  property list files scheduled to automatically execute upon startup on macOS platforms (e.g., \"`/Library/LaunchAgents/`\").\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1543_001_macos_launch_agent.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1543.003", "attack_object_name": "Windows Service", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1543", "comments": "Google Security Ops is able to trigger an alert based on system process modifications to existing Windows services which could indicate a malicious payload (e.g., \"C:\\\\Windows\\\\System32\\\\sc.exe\", \"C:\\\\Windows\\\\System32\\\\cmd.exe\"). \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/underminer_exploit_kit_delivers_malware.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1543.004", "attack_object_name": "Launch Daemon", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1543", "comments": "Google Security Ops is able to trigger an alert based on  plist files scheduled to automatically execute upon startup on macOS platforms (e.g., \"/Library/LaunchDaemons/\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1543_004_macos_launch_daemon.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1546", "attack_object_name": "Event Triggered Execution", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on manipulation of default programs.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1546_001_windows_change_default_file_association.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1546.001", "attack_object_name": "Change Default File Association", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1546", "comments": "Google Security Ops is able to trigger an alert based on manipulation of default programs used for a given extension found on Windows platforms (e.g., \"cmd\\.exe /c assoc\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1546_001_windows_change_default_file_association.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1546.003", "attack_object_name": "Windows Management Instrumentation Event Subscription", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1546", "comments": "Google Security Ops is able to trigger an alert based on suspicious events used by adversary's to establish persistence using Windows Management Instrumentation (WMI) command-line events (e.g. \"C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/wmi_spawning_windows_powershell.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1546.006", "attack_object_name": "LC_LOAD_DYLIB Addition", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "related_score": "T1546", "comments": "Often used by adversaries to  execute malicious content and establish persistence, Palo Alto Network's antivirus signatures is able to detect malicious content found in Mach object files (Mach-O). These are used by the adversary to load and execute malicious dynamic libraries after the binary is executed.\n\nThis technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against variations of these cyber-attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1546.007", "attack_object_name": "Netsh Helper DLL", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1546", "comments": "Google Security Ops is able to generate alerts based off suspicious events, for example: execution of arbitrary code triggered by Netsh Helper DLLs (Netshell (Netsh.exe)).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/possible_system_network_configuration_discovery__sysmon_windows_logs.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1546.008", "attack_object_name": "Accessibility Features", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1546", "comments": "Google Security Ops is able to trigger an alert based off suspicious system processes that indicate usage and installation of a backdoor using built-in tools that are accessible from the login screen (e.g., sticky-keys attack).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/sticky_key_like_backdoor_usage.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1547", "attack_object_name": "Boot or Logon Autostart Execution", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on creation or changes of registry keys and run keys found on Windows platforms.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1547_001_windows_registry_run_keys_startup_folder.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1547.001", "attack_object_name": "Registry Run Keys / Startup Folder", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1547", "comments": "Google Security Ops is able to trigger an alert based on creation or changes of registry keys and run keys on Windows platforms (e.g., \"\"REGISTRY_MODIFICATION\", \"\"REGISTRY_CREATION\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1547_001_windows_registry_run_keys_startup_folder.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/suspicious_run_key_from_download.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1548", "attack_object_name": "Abuse Elevation Control Mechanism", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on Custom Role changes.  \nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_custom_role_changes.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1548.002", "attack_object_name": "Bypass User Account Control", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1548", "comments": "Google Security Ops is able to trigger an alert based on system-level processes and other modifications to MacOS platforms (e.g., \"FILE_MODIFICATION\", \"chflags hidden\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1564_001_macos_hidden_files_and_directories.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1548.002", "attack_object_name": "Bypass User Account Control", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "related_score": "T1548", "comments": "Adversaries may bypass UAC mechanisms to elevate process privileges. This control can be used to help enforce least privilege principals to ensure that permission levels are properly managed. Along with this, Policy Analyzer lets users know what principals have access to resources based on its corresponding IAM allow policies.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1550", "attack_object_name": "Use Alternate Authentication Material", "capability_group": "identity_platform", "score_category": "protect", "score_value": "minimal", "comments": " This control may mitigate application access token theft if the application is  configured to retrieve temporary security credentials using an IAM role. ", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "identity_aware_proxy", "capability_description": "Identity Aware Proxy", "mapping_type": "technique_scores", "attack_object_id": "T1550.001", "attack_object_name": "Application Access Token", "capability_group": "identity_aware_proxy", "score_category": "protect", "score_value": "minimal", "related_score": "T1550", "comments": "This control may mitigate or prevent stolen application access tokens from occurring. ", "references": ["https://cloud.google.com/iap"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1550.001", "attack_object_name": "Application Access Token", "capability_group": "identity_platform", "score_category": "protect", "score_value": "minimal", "related_score": "T1550", "comments": " This control may mitigate application access token theft if the application is  configured to retrieve temporary security credentials using an IAM role. ", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "cloud_hsm", "capability_description": "Cloud Hardware Security Module (HSM)", "mapping_type": "technique_scores", "attack_object_id": "T1552", "attack_object_name": "Unsecured Credentials", "capability_group": "cloud_hsm", "score_category": "protect", "score_value": "partial", "comments": "Google Cloud's HSM may protect against adversary's attempts to leverage unsecured credentials found on compromised systems. Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.", "references": ["https://cloud.google.com/kms/docs/hsm"]}, {"capability_id": "cloud_key_management", "capability_description": "Cloud Key Management", "mapping_type": "technique_scores", "attack_object_id": "T1552", "attack_object_name": "Unsecured Credentials", "capability_group": "cloud_key_management", "score_category": "protect", "score_value": "minimal", "comments": "Cloud Key Management Service allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service. Unsecured Credentials can be moved to the Cloud Key Management Service to protect from being stolen or abused. Since this service does not actually identify credentials that are currently insecure the score is low.", "references": ["https://cloud.google.com/security-key-management"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1552", "attack_object_name": "Unsecured Credentials", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops detects an attempt to scan registry hives for unsecured passwords.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/t1214___credentials_in_registry.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "secret_manager", "capability_description": "Secret Manager", "mapping_type": "technique_scores", "attack_object_id": "T1552", "attack_object_name": "Unsecured Credentials", "capability_group": "secret_manager", "score_category": "protect", "score_value": "partial", "comments": "This control provides a central, secure location for storage of credentials to reduce the possibility of attackers discovering unsecured credentials. ", "references": ["https://cloud.google.com/secret-manager/docs/overview"]}, {"capability_id": "cloud_hsm", "capability_description": "Cloud Hardware Security Module (HSM)", "mapping_type": "technique_scores", "attack_object_id": "T1552.001", "attack_object_name": "Credentials In Files", "capability_group": "cloud_hsm", "score_category": "protect", "score_value": "partial", "related_score": "T1552", "comments": "Google Cloud's HSM may protect against adversary's attempts to leverage passwords and unsecure credentials found in files on compromised systems.Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.", "references": ["https://cloud.google.com/kms/docs/hsm"]}, {"capability_id": "cloud_key_management", "capability_description": "Cloud Key Management", "mapping_type": "technique_scores", "attack_object_id": "T1552.001", "attack_object_name": "Credentials In Files", "capability_group": "cloud_key_management", "score_category": "protect", "score_value": "minimal", "related_score": "T1552", "comments": "This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.", "references": ["https://cloud.google.com/security-key-management"]}, {"capability_id": "cloud_hsm", "capability_description": "Cloud Hardware Security Module (HSM)", "mapping_type": "technique_scores", "attack_object_id": "T1552.004", "attack_object_name": "Private Keys", "capability_group": "cloud_hsm", "score_category": "protect", "score_value": "partial", "related_score": "T1552", "comments": "Google Cloud's HSM may protect against adversary's attempts to compromise private key certificate files (e.g., .key, .pgp, .ppk, .p12). Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.", "references": ["https://cloud.google.com/kms/docs/hsm"]}, {"capability_id": "cloud_key_management", "capability_description": "Cloud Key Management", "mapping_type": "technique_scores", "attack_object_id": "T1552.004", "attack_object_name": "Private Keys", "capability_group": "cloud_key_management", "score_category": "protect", "score_value": "minimal", "related_score": "T1552", "comments": " This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.", "references": ["https://cloud.google.com/security-key-management"]}, {"capability_id": "cloud_key_management", "capability_description": "Cloud Key Management", "mapping_type": "technique_scores", "attack_object_id": "T1552.005", "attack_object_name": "Cloud Instance Metadata API", "capability_group": "cloud_key_management", "score_category": "protect", "score_value": "significant", "related_score": "T1552", "comments": " This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.", "references": ["https://cloud.google.com/security-key-management"]}, {"capability_id": "gke_enterprise", "capability_description": "GKE Enterprise", "mapping_type": "technique_scores", "attack_object_id": "T1552.007", "attack_object_name": "Container API", "capability_group": "gke_enterprise", "score_category": "protect", "score_value": "partial", "related_score": "T1552", "comments": "Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs. GKE Enterprise incorporates the Anthos Config Management feature to manage configuration for any Kubernetes API, including policies for the Istio service mesh, resource quotas, and access control policies.", "references": ["https://cloud.google.com/kubernetes-engine/enterprise/docs"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1552.007", "attack_object_name": "Container API", "capability_group": "resource_manager", "score_category": "protect", "score_value": "minimal", "related_score": "T1552", "comments": "To control access to resources, GCP requires that accounts making API requests have appropriate IAM roles. IAM roles include permissions that allow users to perform specific actions on Google Cloud resources. This control may mitigate adversaries that gather credentials via APIs within a containers environment. Since this covers only one of the sub-techniques, it is given a Minimal scoring.", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1552.007", "attack_object_name": "Container API", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "related_score": "T1552", "comments": "VPC security perimeters can segment private resources to provide access based on user identity or organizational ingress/egress policies (e.g., instance, subnet).", "references": ["https://cloud.google.com/vpc-service-controls/docs"]}, {"capability_id": "cloud_hsm", "capability_description": "Cloud Hardware Security Module (HSM)", "mapping_type": "technique_scores", "attack_object_id": "T1553", "attack_object_name": "Subvert Trust Controls", "capability_group": "cloud_hsm", "score_category": "protect", "score_value": "partial", "comments": "Google Cloud's HSM may protect against adversary's attempts to undermine trusted controls and conduct nefarious activity or execute malicious programs. Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.", "references": ["https://cloud.google.com/kms/docs/hsm"]}, {"capability_id": "cloud_key_management", "capability_description": "Cloud Key Management", "mapping_type": "technique_scores", "attack_object_id": "T1553", "attack_object_name": "Subvert Trust Controls", "capability_group": "cloud_key_management", "score_category": "protect", "score_value": "significant", "comments": "Protects against trust mechanisms and stealing of code signing certificates", "references": ["https://cloud.google.com/security-key-management"]}, {"capability_id": "binary_authorization", "capability_description": "Binary Authorization", "mapping_type": "technique_scores", "attack_object_id": "T1554", "attack_object_name": "Compromise Host Software Binary", "capability_group": "binary_authorization", "score_category": "protect", "score_value": "significant", "comments": "Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"]}, {"capability_id": "cloud_key_management", "capability_description": "Cloud Key Management", "mapping_type": "technique_scores", "attack_object_id": "T1555", "attack_object_name": "Credentials from Password Stores", "capability_group": "cloud_key_management", "score_category": "protect", "score_value": "partial", "comments": "This control manages symmetric and asymmetric cryptographic keys for cloud services and protects against stealing credentials, certificates, keys from the organization.", "references": ["https://cloud.google.com/security-key-management"]}, {"capability_id": "secret_manager", "capability_description": "Secret Manager", "mapping_type": "technique_scores", "attack_object_id": "T1555", "attack_object_name": "Credentials from Password Stores", "capability_group": "secret_manager", "score_category": "protect", "score_value": "partial", "comments": "This control may provide a more secure location for storing passwords. If an cloud user account, endpoint, or application is compromised, they may have limited access to passwords stored in Secret Manager.", "references": ["https://cloud.google.com/secret-manager/docs/overview"]}, {"capability_id": "advanced_protection_program", "capability_description": "Advanced Protection Program", "mapping_type": "technique_scores", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "advanced_protection_program", "score_category": "protect", "score_value": "significant", "comments": "Advanced Protection Program enables the use of a security key for multi-factor authentication. Integrating multi-factor authentication as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.\n", "references": ["https://landing.google.com/advancedprotection/"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "identity_platform", "score_category": "protect", "score_value": "minimal", "comments": " Identity Platform lets you add Google-grade authentication to your apps and services, making it easier to secure user accounts and securely managing credentials. MFA can be used to restrict access to cloud resources and APIs and provide protection against an adversaries that try to access user credentials. ", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "cloud_vpn", "capability_description": "Cloud VPN", "mapping_type": "technique_scores", "attack_object_id": "T1557", "attack_object_name": "Adversary-in-the-Middle", "capability_group": "cloud_vpn", "score_category": "protect", "score_value": "significant", "comments": "Cloud VPN enables traffic traveling between the two networks, and it is encrypted by one VPN gateway and then decrypted by the other VPN gateway. This action protects users' data as it travels over the internet. This control may prevent adversaries from attempting to position themselves between two or more networks and modify traffic. ", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1557", "attack_object_name": "Adversary-in-the-Middle", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "partial", "comments": "VPC security perimeter mitigates the impact from Adversary-in-the-Middle by creating virtual segmentation that limits the data and information broadcast on the network.", "references": ["https://cloud.google.com/vpc-service-controls/docs"]}, {"capability_id": "cloud_vpn", "capability_description": "Cloud VPN", "mapping_type": "technique_scores", "attack_object_id": "T1557.002", "attack_object_name": "ARP Cache Poisoning", "capability_group": "cloud_vpn", "score_category": "protect", "score_value": "partial", "related_score": "T1557", "comments": "Cloud VPN enables traffic traveling between the two networks, and it is encrypted by one VPN gateway and then decrypted by the other VPN gateway. This action protects users' data as it travels over the internet. This control may prevent adversaries from attempting to position themselves between two or more networks and modify traffic. ", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1560", "attack_object_name": "Archive Collected Data", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops triggers an alert based on adversary indicators of compromise seen when encrypting or compressing data before exfiltration.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/tree/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation\n\n\n\n", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "backup_and_dr_actifiogo", "capability_description": "Backup and DR-Actifio GO", "mapping_type": "technique_scores", "attack_object_id": "T1561", "attack_object_name": "Disk Wipe", "capability_group": "backup_and_dr_actifiogo", "score_category": "respond", "score_value": "significant", "comments": "Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to a Disk Wipe since an organization could restore wiped data back to the latest backup.", "references": ["https://cloud.google.com/backup-disaster-recovery/docs/configuration/cbb", "https://cloud.google.com/backup-disaster-recovery"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1562", "attack_object_name": "Impair Defenses", "capability_group": "identity_platform", "score_category": "protect", "score_value": "minimal", "comments": "Identity Platform provides Admin APIs to manage  users and authentication tokens. To prevent unwanted access to your users and tokens through these APIs, Identity Platform leverages IAM to manage permission to specific Identity Platform APIs. This control will ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1562", "attack_object_name": "Impair Defenses", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "comments": "Adversaries that try to disable cloud logging capabilities have the advantage to limit the amount of the data that can be collected and can possibly control not being detected. This control may be used to ensure that permissions are in place to prevent adversaries from disabling or interfering with security/logging services.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1562", "attack_object_name": "Impair Defenses", "capability_group": "resource_manager", "score_category": "protect", "score_value": "partial", "comments": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. GCP allows configuration of account policies to enable logging and IAM permissions and roles to determine your ability to access audit logs data in Google Cloud resources.", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1562", "attack_object_name": "Impair Defenses", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "comments": "SCC ingests VPC Audit logs to detect changes which would lead to changes in the security posture. This security solution protects against network modifications that are used to reduce the security perimeter, disable logs, and evade cyber-defense of a target environment. Because of the near-real time temporal factor this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1562.001", "attack_object_name": "Disable or Modify Tools", "capability_group": "resource_manager", "score_category": "protect", "score_value": "partial", "related_score": "T1562", "comments": "This control adopts the security principle of least privilege, which grants necessary access to user's resources when justified and needed. This control manages access control and ensures proper user permissions are in place to prevent adversaries that try to modify and/or disable security tools.", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1562.002", "attack_object_name": "Disable Windows Event Logging", "capability_group": "resource_manager", "score_category": "protect", "score_value": "partial", "related_score": "T1562", "comments": "This control adopts the security principle of least privilege, which grants necessary access to user's resources when justified and needed. This control manages access control and ensures proper user permissions are in place to prevent adversaries that try to interfere with logging.\n", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1562.004", "attack_object_name": "Disable or Modify System Firewall", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1562", "comments": "Google Security Ops is able to trigger an alert based on processes, such as  VPC Network Firewall rule changes. \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_firewall_rule_changes.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1562.007", "attack_object_name": "Disable or Modify Cloud Firewall", "capability_group": "resource_manager", "score_category": "protect", "score_value": "partial", "related_score": "T1562", "comments": "This control adopts the security principle of least privilege, which grants necessary access to user's resources when justified and needed. This control manages access control and ensures proper user permissions are in place to prevent adversaries that try to modify and/or disable firewall.\n\n", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1562.007", "attack_object_name": "Disable or Modify Cloud Firewall", "capability_group": "resource_manager", "score_category": "detect", "score_value": "partial", "related_score": "T1562", "comments": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. GCP allows configuration of account policies to enable logging and IAM permissions and roles to determine your ability to access audit logs data in Google Cloud resources.", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1562.007", "attack_object_name": "Disable or Modify Cloud Firewall", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1562", "comments": "SCC is able to detect changes to VPC service controls that could modify and reduced the secured perimeter. This security solution protects against modifications that could lead to a lower security posture and defense evasion. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1562.008", "attack_object_name": "Disable or Modify Cloud Logs", "capability_group": "identity_platform", "score_category": "protect", "score_value": "minimal", "related_score": "T1562", "comments": "Identity Platform provides Admin APIs to manage  users and authentication tokens. To prevent unwanted access to your users and tokens through these APIs, Identity Platform leverages IAM to manage permission to specific Identity Platform APIs. This control will ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1562.008", "attack_object_name": "Disable or Modify Cloud Logs", "capability_group": "policy_intelligence", "score_category": "detect", "score_value": "minimal", "related_score": "T1562", "comments": "Adversaries that try to disable cloud logging capabilities have the advantage to limit the amount of the data that can be collected and can possibly control not being detected. This control may be used to routinely check role account permissions in IAM audit logs.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1562.008", "attack_object_name": "Disable or Modify Cloud Logs", "capability_group": "resource_manager", "score_category": "protect", "score_value": "partial", "related_score": "T1562", "comments": "This control adopts the security principle of least privilege, which grants necessary access to user's resources when justified and needed. This control manages access control and ensures proper user permissions are in place to prevent adversaries that try to modify and/or disable cloud logging capabilities.\n", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1562.008", "attack_object_name": "Disable or Modify Cloud Logs", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1562", "comments": "SCC detect changes to the configuration which would lead to disable logging on an instance or container. This security solution protects against system modifications used to remove evidence and evade defenses. Because of the near-real time temporal factor this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1564", "attack_object_name": "Hide Artifacts", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on processes, such as hidden artifacts.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/abusing_attrib_exe_to_change_file_attributes.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/hiding_files_with_attrib_exe.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1564.001", "attack_object_name": "Hidden Files and Directories", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1564", "comments": "Google Security Ops is able to trigger an alert based on processes, such as manually setting a file to set a file as a system file on Windows (e.g., \"attrib\\.exe \\+s\") setting a file to hidden on Windows platforms (e.g., \"attrib\\.exe \\+h\"), or on macOS (e.g., \"setfile -a V\" or  \"chflags hidden\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/hiding_files_with_attrib_exe.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "backup_and_dr_actifiogo", "capability_description": "Backup and DR-Actifio GO", "mapping_type": "technique_scores", "attack_object_id": "T1565", "attack_object_name": "Data Manipulation", "capability_group": "backup_and_dr_actifiogo", "score_category": "respond", "score_value": "significant", "comments": "Backup and DR-Actifio GO is a copy data management plaform that virtualizes application data to improve an organizations resiliency and cloud mobility. This capability allows an organization to take regular backups and provides several methods of restoring applications and/or VM data to a previous state. This provides significant ability to respond to Data Manipulation since an organization could restore manipulated data back to the latest backup.", "references": ["https://cloud.google.com/backup-disaster-recovery/docs/configuration/cbb", "https://cloud.google.com/backup-disaster-recovery"]}, {"capability_id": "cloud_vpn", "capability_description": "Cloud VPN", "mapping_type": "technique_scores", "attack_object_id": "T1565", "attack_object_name": "Data Manipulation", "capability_group": "cloud_vpn", "score_category": "protect", "score_value": "partial", "comments": "This control provides protection against data from being manipulated by adversaries through target applications by encrypting important information. ", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"]}, {"capability_id": "cloud_storage", "capability_description": "Cloud Storage", "mapping_type": "technique_scores", "attack_object_id": "T1565.001", "attack_object_name": "Stored Data Manipulation", "capability_group": "cloud_storage", "score_category": "protect", "score_value": "significant", "related_score": "T1565", "comments": "The cloud service provider's default encryption setting for data stored and written to disk in the cloud may protect against adversary's attempt to manipulate customer data-at-rest. This technique was rated as significant due to the high protect coverage factor.", "references": ["https://cloud.google.com/storage/docs/encryption", "https://cloud.google.com/storage"]}, {"capability_id": "cloud_vpn", "capability_description": "Cloud VPN", "mapping_type": "technique_scores", "attack_object_id": "T1565.002", "attack_object_name": "Transmitted Data Manipulation", "capability_group": "cloud_vpn", "score_category": "protect", "score_value": "partial", "related_score": "T1565", "comments": "This control provides protection against data from being manipulated by adversaries through target applications by encrypting important information. Since this control only provides protection against data in transit, it received a partial score. ", "references": ["https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview"]}, {"capability_id": "confidential_vm", "capability_description": "Confidential VM", "mapping_type": "technique_scores", "attack_object_id": "T1565.003", "attack_object_name": "Runtime Data Manipulation", "capability_group": "confidential_vm", "score_category": "protect", "score_value": "significant", "related_score": "T1565", "comments": "Confidential VM main memory encryption is performed using dedicated hardware within the memory controllers. Each controller includes a high-performance Advanced Encryption Standard (AES) engine. The AES engine encrypts data as it is written to DRAM or shared between sockets, and decrypts it when data is read.", "references": ["https://cloud.google.com/compute/confidential-vm/docs/about-cvm#security_and_privacy_features"]}, {"capability_id": "chrome_enterprise_premium", "capability_description": "Chrome Enterprise Premium", "mapping_type": "technique_scores", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "chrome_enterprise_premium", "score_category": "protect", "score_value": "significant", "comments": "Chrome Enterprise Premium provides advanced protection against phishing attacks in the cloud by offering robust features like data loss prevention (DLP) controls, advanced malware and phishing detection, and real-time threat analysis, essentially safeguarding sensitive data and preventing users from accessing malicious websites even when accessing the web from anywhere, including in a cloud environment.", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"]}, {"capability_id": "chrome_enterprise_premium", "capability_description": "Chrome Enterprise Premium", "mapping_type": "technique_scores", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "chrome_enterprise_premium", "score_category": "detect", "score_value": "significant", "comments": "Chrome Enterprise Premium can help identify and block malicious websites that might be phishing attempts through integrated data loss prevention (DLP) controls, advanced malware and phishing detection, and real-time threat analysis, essentially safeguarding sensitive data and preventing users from accessing malicious websites even when accessing the web from anywhere, including in a cloud environment.", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"]}, {"capability_id": "titan_security_key", "capability_description": "Titan Security Key", "mapping_type": "technique_scores", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "titan_security_key", "score_category": "protect", "score_value": "significant", "comments": "This control is able to mitigate against a variety of phishing attacks by requiring an additional key for authentication outside of the user's password. Compared to other forms of 2-factor authentication, this control will not allow for authentication to an illegitimate service or website as the key can not be transmitted from the hardware device to any other device.", "references": ["https://cloud.google.com/titan-security-key#section-3"]}, {"capability_id": "virus_total", "capability_description": "Virus Total", "mapping_type": "technique_scores", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "virus_total", "score_category": "protect", "score_value": "significant", "comments": "VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats.  This control can help mitigate adversaries that try to send malware via emails using malicious links or attachments. The malware-scanner service scans the uploaded document for malware.\nIf the document is infected, the service moves it to a quarantined bucket; otherwise the document is moved into another bucket that holds uninfected scanned documents.", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"]}, {"capability_id": "web_risk", "capability_description": "Web Risk", "mapping_type": "technique_scores", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "web_risk", "score_category": "protect", "score_value": "partial", "comments": "Web Risk allows client applications to check URLs against Google's list of unsafe web resources. It also can provide warnings when attempting to access potentially unsafe sites. However, Google cannot guarantee that its information is comprehensive and error-free: some risky sites may not be identified, and some safe sites may be classified in error. This has resulted in an overall score of Partial.", "references": ["https://cloud.google.com/web-risk/docs/overview"]}, {"capability_id": "chrome_enterprise_premium", "capability_description": "Chrome Enterprise Premium", "mapping_type": "technique_scores", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "chrome_enterprise_premium", "score_category": "detect", "score_value": "minimal", "related_score": "T1566", "comments": "Chrome Enterprise Premium can help identify and block malicious websites that might be phishing attempts through integrated data loss prevention (DLP) controls, advanced malware and phishing detection, and real-time threat analysis, essentially safeguarding sensitive data and preventing users from accessing malicious websites even when accessing the web from anywhere, including in a cloud environment.", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"]}, {"capability_id": "virus_total", "capability_description": "Virus Total", "mapping_type": "technique_scores", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "virus_total", "score_category": "protect", "score_value": "partial", "related_score": "T1566", "comments": "VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats. ", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "related_score": "T1566", "comments": "Often used by adversaries to gain access to a system, Palo Alto Network's vulnerability signatures are able to detect when a user attempts to connect to a malicious site with a phishing kit landing page.\n\nAlthough there are other ways an adversary could attempt a phishing attack, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against variations of these cyber-attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "virus_total", "capability_description": "Virus Total", "mapping_type": "technique_scores", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "virus_total", "score_category": "protect", "score_value": "significant", "related_score": "T1566", "comments": "VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats.  This control can help mitigate adversaries sending malware through spearphishing emails. The malware-scanner service scans the uploaded document for malware. If the document is infected, the service moves it to a quarantined bucket; otherwise the document is moved into another bucket that holds uninfected scanned documents.", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"]}, {"capability_id": "chrome_enterprise_premium", "capability_description": "Chrome Enterprise Premium", "mapping_type": "technique_scores", "attack_object_id": "T1567", "attack_object_name": "Exfiltration Over Web Service", "capability_group": "chrome_enterprise_premium", "score_category": "protect", "score_value": "significant", "comments": "Chrome Enterprise Premium provides Data Loss Prevention (DLP) features that can detect and block sensitive data for files that are uploaded and downloaded and for content that is pasted or dragged and dropped via the Chrome browser. This can provide protection against adversaries that may try to steal data over network protocols.", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1567", "attack_object_name": "Exfiltration Over Web Service", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "comments": "Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts over command and control communications (e.g., WebShell).\n\nAlthough there are ways an attacker could exfiltrate data from a compromised system, this technique was scored as significant based on  Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1567", "attack_object_name": "Exfiltration Over Web Service", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "comments": "SCC ingests BigQueryAudit data access logs used to track sensitive data that is saved outside of an organization or attempts to access protected resources. This security solution detects exfiltration attacks that were attempted and completed to an external or public resource. Because of the near-real time temporal factor this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1567", "attack_object_name": "Exfiltration Over Web Service", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "partial", "comments": "This control is able to mitigate against exfiltration of data over a web service. Data contained within a VPC network perimeter can not be moved to a Google cloud resource or service outside of the perimeter but may be moved to third party services or storage.", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"]}, {"capability_id": "chrome_enterprise_premium", "capability_description": "Chrome Enterprise Premium", "mapping_type": "technique_scores", "attack_object_id": "T1567.002", "attack_object_name": "Exfiltration to Cloud Storage", "capability_group": "chrome_enterprise_premium", "score_category": "protect", "score_value": "significant", "related_score": "T1567", "comments": "Chrome Enterprise Premium provides Data Loss Prevention (DLP) features that can detect and block sensitive data for files that are uploaded and downloaded and for content that is pasted or dragged and dropped via the Chrome browser. This can provide protection against adversaries that may try to steal data over network protocols.", "references": ["https://cloud.google.com/beyondcorp-enterprise/docs/overview"]}, {"capability_id": "cloud_endpoints", "capability_description": "Cloud Endpoints", "mapping_type": "technique_scores", "attack_object_id": "T1567.002", "attack_object_name": "Exfiltration to Cloud Storage", "capability_group": "cloud_endpoints", "score_category": "protect", "score_value": "partial", "related_score": "T1567", "comments": "Cloud Endpoints can place restrictions on which apps can be installed and accessed on enrolled devices, preventing exfiltration of sensitive information from compromised endpoints to cloud storage.", "references": ["https://cloud.google.com/endpoints/docs", "https://cloud.google.com/endpoints/docs/frameworks/python/migrating", "https://support.google.com/a/answer/1734200"]}, {"capability_id": "cloud_ids", "capability_description": "Cloud IDS", "mapping_type": "technique_scores", "attack_object_id": "T1567.002", "attack_object_name": "Exfiltration to Cloud Storage", "capability_group": "cloud_ids", "score_category": "detect", "score_value": "significant", "related_score": "T1567", "comments": "Often used by adversaries to compromise sensitive data, Palo Alto Network's spyware signatures is able to detect data exfiltration attempts over command and control communications (e.g., WebShell).\n\nAlthough there are multiple ways an attacker could exfiltrate data from a compromised system, this technique was scored as significant based on  Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.", "references": ["https://cloud.google.com/intrusion-detection-system", "https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/threat-signatures"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1567.002", "attack_object_name": "Exfiltration to Cloud Storage", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "related_score": "T1567", "comments": "SCC ingests BigQueryAudit data access logs used to track sensitive data that is saved to a cloud storage (e.g., Google Drive). This security solution detects exfiltration attacks that were attempted and completed to an external or public resource. Because of the near-real time temporal factor this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1569", "attack_object_name": "System Services", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger alerts based off command-line arguments and suspicious system process that could indicate abuse of system services. \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_calculator_usage.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/abusing_attrib_exe_to_change_file_attributes.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1569.002", "attack_object_name": "Service Execution", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1569", "comments": "Google Security Ops is able to trigger alerts based off command-line arguments and suspicious system process that could indicate abuse of Windows system service to execute malicious commands or code (e.g., \"*\\\\execute\\.bat\"). \n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/smbexec_py_service_installation.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1570", "attack_object_name": "Lateral Tool Transfer", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "minimal", "comments": "VPC security perimeters can segment private resources to deny ingress and egress traffic based on organizational policies. Because this tool does not prevent attacks from valid accounts or compromised machines, it was scored as  minimal.", "references": ["https://cloud.google.com/vpc-service-controls/docs"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1571", "attack_object_name": "Non-Standard Port", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "significant", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to restrict which protocols and port numbers are allowed through the firewall and prevent adversaries from using non-standard ports. As a result, this mapping is given a score of Significant.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1572", "attack_object_name": "Protocol Tunneling", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic from known bad IP addresses and domains which could protect against protocol tunneling by adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1574", "attack_object_name": "Hijack Execution Flow", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger alerts based on suspicious system processes that could indicate hijacking via malicious payloads.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/antivirus/detects_powershell_attack__via_av_ids.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1574.007", "attack_object_name": "Path Interception by PATH Environment Variable", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1574", "comments": "Google Security Ops is able to trigger alerts based on suspicious system processes that could indicate hijacking via malicious payloads (e.g., Windows Unquoted Search Path explotation \"\"C:\\\\InventoryWebServer.exe\"\").\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1578", "attack_object_name": "Modify Cloud Compute Infrastructure", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger an alert based on changes to the infrastructure (e.g., VPC network changes).\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_vpc_network_changes.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1578", "attack_object_name": "Modify Cloud Compute Infrastructure", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "partial", "comments": "Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to gain access to permissions from modifying infrastructure components.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1578", "attack_object_name": "Modify Cloud Compute Infrastructure", "capability_group": "security_command_center", "score_category": "detect", "score_value": "significant", "comments": "SCC detect changes to the cloud infrastructure and resources which could indicate malicious behavior (e.g., delete instances, create snapshot, revert cloud instance). This security solution protects against modifications potentially used to remove evidence and evade defenses. Because of the near-real time temporal factor and high detection coverage this control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "identity_platform", "capability_description": "Identity Platform", "mapping_type": "technique_scores", "attack_object_id": "T1580", "attack_object_name": "Cloud Infrastructure Discovery", "capability_group": "identity_platform", "score_category": "protect", "score_value": "partial", "comments": "Identity Platform is a customer identity and access management (CIAM) platform that helps organizations add identity and access management functionality to their applications, protect user accounts, and scale with confidence on Google Cloud. With this, permissions are limited to discover cloud accounts in accordance with least privilege.", "references": ["https://cloud.google.com/identity-platform/docs/concepts"]}, {"capability_id": "policy_intelligence", "capability_description": "Policy Intelligence", "mapping_type": "technique_scores", "attack_object_id": "T1580", "attack_object_name": "Cloud Infrastructure Discovery", "capability_group": "policy_intelligence", "score_category": "protect", "score_value": "minimal", "comments": "Policy Intelligence role recommendations generated by IAM Recommender help admins remove unwanted access to GCP resources by using machine learning to make smart access control recommendations. With Recommender, security teams can automatically detect overly permissive access and rightsize them based on similar users in the organization and their access patterns. This control may mitigate adversaries that try to enumerate users access keys through VM or snapshots.", "references": ["https://cloud.google.com/policy-intelligence"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1580", "attack_object_name": "Cloud Infrastructure Discovery", "capability_group": "resource_manager", "score_category": "protect", "score_value": "significant", "comments": "Resource Manager can easily modify your Cloud Identity and Access Management policies for your organization and folders, and the changes will apply across all the projects and resources. Create and manage IAM access control policies for your organization and projects. This control may prevent adversaries that try to discover resources by placing a limit on discovery of these resources with least privilege.", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1580", "attack_object_name": "Cloud Infrastructure Discovery", "capability_group": "resource_manager", "score_category": "detect", "score_value": "minimal", "comments": "GCP allows configuration of account policies to enable logging and IAM permissions and roles that may detect compromised user attempts to discover infrastructure and resources.", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1584.002", "attack_object_name": "DNS Server", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1584", "comments": "Google Security Ops monitors and generates alerts for DNS creation or deletion activity from non-service accounts.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/gcp_cloudaudit/gcp_dns_modification.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_hsm", "capability_description": "Cloud Hardware Security Module (HSM)", "mapping_type": "technique_scores", "attack_object_id": "T1588", "attack_object_name": "Obtain Capabilities", "capability_group": "cloud_hsm", "score_category": "protect", "score_value": "partial", "comments": "Google Cloud's HSM may protect against adversary's attempts to obtain capabilities by compromising code signing certificates that will be used to run compromised code and other tampered executables. Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.", "references": ["https://cloud.google.com/kms/docs/hsm"]}, {"capability_id": "cloud_key_management", "capability_description": "Cloud Key Management", "mapping_type": "technique_scores", "attack_object_id": "T1588", "attack_object_name": "Obtain Capabilities", "capability_group": "cloud_key_management", "score_category": "protect", "score_value": "partial", "comments": "This control manages symmetric and asymmetric cryptographic keys for cloud services and protects against stealing credentials, certificates, keys from the organization.", "references": ["https://cloud.google.com/security-key-management"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1588", "attack_object_name": "Obtain Capabilities", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "comments": "Google Security Ops is able to trigger alerts based off suspicious system processes, such as binaries in use on Windows machines. For example: PsExec is a free Microsoft tool that can be used to escalate privileges from administrator to SYSTEM with the -s argument, download files over a network share, and remotely create accounts.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_psexec_execution.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "google_secops", "capability_description": "Google Security Operations", "mapping_type": "technique_scores", "attack_object_id": "T1588.002", "attack_object_name": "Tool", "capability_group": "google_secops", "score_category": "detect", "score_value": "minimal", "related_score": "T1588", "comments": "Google Security Ops is able to trigger alerts based off command-line arguments and suspicious system process that could indicate a tool being used for malicious purposes on Windows machines. For example: PsExec is a free Microsoft tool that can be used to execute a program on another computer.\n\nThis technique was scored as minimal based on low or uncertain detection coverage factor.\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_psexec_execution.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/sysmon/psexec_detector.yaral\n\nhttps://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/psexec_service_start.yaral", "references": ["https://cloud.google.com/security/products/security-operations", "https://cloud.google.com/chronicle/docs/secops/secops-overview", "https://github.com/chronicle/detection-rules"]}, {"capability_id": "cloud_hsm", "capability_description": "Cloud Hardware Security Module (HSM)", "mapping_type": "technique_scores", "attack_object_id": "T1588.003", "attack_object_name": "Code Signing Certificates", "capability_group": "cloud_hsm", "score_category": "protect", "score_value": "partial", "related_score": "T1588", "comments": "Google Cloud's HSM may protect against adversary's attempts to compromise code signing certificates that can used during targeting to run compromised code and other tampered executables. Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.", "references": ["https://cloud.google.com/kms/docs/hsm"]}, {"capability_id": "cloud_key_management", "capability_description": "Cloud Key Management", "mapping_type": "technique_scores", "attack_object_id": "T1588.003", "attack_object_name": "Code Signing Certificates", "capability_group": "cloud_key_management", "score_category": "protect", "score_value": "partial", "related_score": "T1588", "comments": "This control manages symmetric and asymmetric cryptographic keys for cloud services and protects against stealing credentials, certificates, keys from the organization.", "references": ["https://cloud.google.com/security-key-management"]}, {"capability_id": "cloud_storage", "capability_description": "Cloud Storage", "mapping_type": "technique_scores", "attack_object_id": "T1588.003", "attack_object_name": "Code Signing Certificates", "capability_group": "cloud_storage", "score_category": "protect", "score_value": "partial", "related_score": "T1588", "comments": "The cloud service provider's default encryption setting for data stored and written to disk in the cloud may protect against adversary's attempt to manipulate customer data-at-rest. This technique was rated as partial due to the medium to high protect coverage factor against variations of this attack.", "references": ["https://cloud.google.com/storage/docs/encryption", "https://cloud.google.com/storage"]}, {"capability_id": "cloud_hsm", "capability_description": "Cloud Hardware Security Module (HSM)", "mapping_type": "technique_scores", "attack_object_id": "T1588.004", "attack_object_name": "Digital Certificates", "capability_group": "cloud_hsm", "score_category": "protect", "score_value": "partial", "related_score": "T1588", "comments": "Google Cloud's HSM may protect against adversary's attempts to compromise digital certificates that can used to encrypt data-in-transit or tamper with the certificate owner's communications.  Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.", "references": ["https://cloud.google.com/kms/docs/hsm"]}, {"capability_id": "cloud_key_management", "capability_description": "Cloud Key Management", "mapping_type": "technique_scores", "attack_object_id": "T1588.004", "attack_object_name": "Digital Certificates", "capability_group": "cloud_key_management", "score_category": "protect", "score_value": "partial", "related_score": "T1588", "comments": "This control manages symmetric and asymmetric cryptographic keys for cloud services and protects against stealing credentials, certificates, keys from the organization.", "references": ["https://cloud.google.com/security-key-management"]}, {"capability_id": "cloud_storage", "capability_description": "Cloud Storage", "mapping_type": "technique_scores", "attack_object_id": "T1588.004", "attack_object_name": "Digital Certificates", "capability_group": "cloud_storage", "score_category": "protect", "score_value": "partial", "related_score": "T1588", "comments": "The cloud service provider's default encryption setting for data stored and written to disk in the cloud may protect against adversary's attempt to manipulate customer data-at-rest. This technique was rated as partial due to the medium to high protect coverage factor against variations of this attack.", "references": ["https://cloud.google.com/storage/docs/encryption", "https://cloud.google.com/storage"]}, {"capability_id": "security_command_center", "capability_description": "Security Command Center", "mapping_type": "technique_scores", "attack_object_id": "T1589.001", "attack_object_name": "Credentials", "capability_group": "security_command_center", "score_category": "protect", "score_value": "significant", "related_score": "T1589", "comments": "SCC has the capability to disable user account after detecting a related account password leak. Because of the near-real time temporal factor to detect against this cyber-attack the control was graded as significant.", "references": ["https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview", "https://github.com/GoogleCloudPlatform/security-analytics"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1590", "attack_object_name": "Gather Victim Network Information", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against adversaries gathering information about the network. While this mapping supports most of the sub-techniques (4 of 6), it is only given a score of Partial because it only protects against attempts to gather information via scanning that originate from outside the firewall, and it does not protect against phishing.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1590", "attack_object_name": "Gather Victim Network Information", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "comments": "VPC security perimeters can limit the impact from active scanning techniques used to gain further information about the target environment.", "references": ["https://cloud.google.com/vpc-service-controls/docs"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1590.004", "attack_object_name": "Network Topology", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "related_score": "T1590", "comments": "VPC security perimeters can limit the impact from active scanning techniques used to gain further information about the target environment.", "references": ["https://cloud.google.com/vpc-service-controls/docs"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1590.005", "attack_object_name": "IP Addresses", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "related_score": "T1590", "comments": "VPC security perimeters can limit the impact from active scanning techniques used to gain further information about the target environment.", "references": ["https://cloud.google.com/vpc-service-controls/docs"]}, {"capability_id": "cloud_ngfw", "capability_description": "Cloud Next-Generation Firewall (NGFW)_", "mapping_type": "technique_scores", "attack_object_id": "T1595", "attack_object_name": "Active Scanning", "capability_group": "cloud_ngfw", "score_category": "protect", "score_value": "partial", "comments": "Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. While this mapping supports both sub-techniques (2 of 2), this mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall.", "references": ["https://cloud.google.com/firewalls"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1595", "attack_object_name": "Active Scanning", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "comments": "VPC security perimeters can limit the impact from active scanning and lateral movement techniques used to exploit the target environment.", "references": ["https://cloud.google.com/vpc-service-controls/docs"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1595.001", "attack_object_name": "Scanning IP Blocks", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "related_score": "T1595", "comments": "VPC security perimeters can limit the impact from active scanning on private networks and lateral movement techniques used to exploit target environments.", "references": ["https://cloud.google.com/vpc-service-controls/docs"]}, {"capability_id": "web_risk", "capability_description": "Web Risk", "mapping_type": "technique_scores", "attack_object_id": "T1598", "attack_object_name": "Phishing for Information", "capability_group": "web_risk", "score_category": "protect", "score_value": "partial", "comments": "Web Risk allows client applications to check URLs against Google's list of unsafe web resources. It also can provide warnings when attempting to access potentially unsafe sites. However, Google cannot guarantee that its information is comprehensive and error-free: some risky sites may not be identified, and some safe sites may be classified in error. This has resulted in an overall score of Partial.", "references": ["https://cloud.google.com/web-risk/docs/overview"]}, {"capability_id": "virus_total", "capability_description": "Virus Total", "mapping_type": "technique_scores", "attack_object_id": "T1598.003", "attack_object_name": "Spearphishing Link", "capability_group": "virus_total", "score_category": "protect", "score_value": "significant", "related_score": "T1598", "comments": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. VirusTotal Graph is a visualization tool built on top of the VirusTotal data set. It analyzes the relationship between files, URLs, domains, IP addresses, and other items encountered.", "references": ["https://cloud.google.com/architecture/automating-malware-scanning-for-documents-uploaded-to-cloud-storage", "https://cloud.google.com/chronicle/docs/investigation/view-virustotal-information", "https://assets.virustotal.com/vt-360-outcomes.pdf"]}, {"capability_id": "web_risk", "capability_description": "Web Risk", "mapping_type": "technique_scores", "attack_object_id": "T1598.003", "attack_object_name": "Spearphishing Link", "capability_group": "web_risk", "score_category": "protect", "score_value": "partial", "related_score": "T1598", "comments": "Web Risk allows client applications to check URLs against Google's list of unsafe web resources. It also can provide warnings when attempting to access potentially unsafe sites. However, Google cannot guarantee that its information is comprehensive and error-free: some risky sites may not be identified, and some safe sites may be classified in error. This has resulted in an overall score of Partial.", "references": ["https://cloud.google.com/web-risk/docs/overview"]}, {"capability_id": "binary_authorization", "capability_description": "Binary Authorization", "mapping_type": "technique_scores", "attack_object_id": "T1601", "attack_object_name": "Modify System Image", "capability_group": "binary_authorization", "score_category": "protect", "score_value": "significant", "comments": "Each image has a signer digitally sign using a private key. At deploy time, the enforcer uses the attester's public key to verify the signature in the attestation.", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1602", "attack_object_name": "Data from Configuration Repository", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "significant", "comments": "VPC security perimeters can isolate resources and limit the impact from lateral movement techniques used to access sensitive data.", "references": ["https://cloud.google.com/vpc-service-controls/docs"]}, {"capability_id": "gke_enterprise", "capability_description": "GKE Enterprise", "mapping_type": "technique_scores", "attack_object_id": "T1609", "attack_object_name": "Container Administration Command", "capability_group": "gke_enterprise", "score_category": "protect", "score_value": "partial", "comments": "GKE Enterprise incorporates the Anthos Config Management feature to create and manage Kubernetes objects across multiple clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root Linux user and prevents pods from running privileged containers. In hindsight this can ensure containers are not running as root by default. ", "references": ["https://cloud.google.com/kubernetes-engine/enterprise/docs"]}, {"capability_id": "google_kubernetes_engine", "capability_description": "Google Kubernetes Engine", "mapping_type": "technique_scores", "attack_object_id": "T1609", "attack_object_name": "Container Administration Command", "capability_group": "google_kubernetes_engine", "score_category": "protect", "score_value": "partial", "comments": "This control may provide provide information about vulnerabilities within container images, such as the risk from remote management of a deployed container. With the right permissions, an adversary could escalate to remote code execution in the Kubernetes cluster.", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"]}, {"capability_id": "artifact_analysis", "capability_description": "Artifact Analysis", "mapping_type": "technique_scores", "attack_object_id": "T1610", "attack_object_name": "Deploy Container", "capability_group": "artifact_analysis", "score_category": "protect", "score_value": "partial", "comments": "Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in Docker containers. This information can be used to detect malicious implanted images in the environment. This control does not directly protect against exploitation.", "references": ["https://cloud.google.com/artifact-analysis/docs/artifact-analysis", "https://cloud.google.com/container-analysis/docs/container-scanning-overview", "https://cloud.google.com/container-registry/docs/container-analysis"]}, {"capability_id": "binary_authorization", "capability_description": "Binary Authorization", "mapping_type": "technique_scores", "attack_object_id": "T1610", "attack_object_name": "Deploy Container", "capability_group": "binary_authorization", "score_category": "protect", "score_value": "significant", "comments": "Based on configured policies, Binary Authorization allows or blocks deployment of container images.", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"]}, {"capability_id": "gke_enterprise", "capability_description": "GKE Enterprise", "mapping_type": "technique_scores", "attack_object_id": "T1610", "attack_object_name": "Deploy Container", "capability_group": "gke_enterprise", "score_category": "protect", "score_value": "partial", "comments": "GKE Enterprise incorporates the Anthos Config Management Policy Controller feature to enforce fully programmable policies on your clusters. You can use these policies to shift security left and guard against violations during development and test time, as well as runtime violations. This control can be used to block adversaries that try to deploy new containers with malware or configurations policies that are not in compliance with security policies already defined. ", "references": ["https://cloud.google.com/kubernetes-engine/enterprise/docs"]}, {"capability_id": "google_kubernetes_engine", "capability_description": "Google Kubernetes Engine", "mapping_type": "technique_scores", "attack_object_id": "T1610", "attack_object_name": "Deploy Container", "capability_group": "google_kubernetes_engine", "score_category": "protect", "score_value": "partial", "comments": "Kubernetes role-based access control (RBAC), uses granular permissions to control access to resources within projects and objects within Kubernetes clusters.", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"]}, {"capability_id": "gke_enterprise", "capability_description": "GKE Enterprise", "mapping_type": "technique_scores", "attack_object_id": "T1611", "attack_object_name": "Escape to Host", "capability_group": "gke_enterprise", "score_category": "protect", "score_value": "partial", "comments": "GKE Enterprise incorporates the Anthos Config Management feature to create and manage Kubernetes objects across multiple clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root Linux user and prevents pods from running privileged containers. This control can be used to limit container access to host process namespaces, the host network, and the host file system, which may enable adversaries to break out of containers and gain access to the underlying host.", "references": ["https://cloud.google.com/kubernetes-engine/enterprise/docs"]}, {"capability_id": "google_kubernetes_engine", "capability_description": "Google Kubernetes Engine", "mapping_type": "technique_scores", "attack_object_id": "T1611", "attack_object_name": "Escape to Host", "capability_group": "google_kubernetes_engine", "score_category": "protect", "score_value": "partial", "comments": "By default, GKE nodes use Google's Container-Optimized OS to enhance the security of GKE clusters, including: Read-only filesystem, limited user accounts, and disabled root login.", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"]}, {"capability_id": "google_kubernetes_engine", "capability_description": "Google Kubernetes Engine", "mapping_type": "technique_scores", "attack_object_id": "T1611", "attack_object_name": "Escape to Host", "capability_group": "google_kubernetes_engine", "score_category": "detect", "score_value": "partial", "comments": "GKE provides the ability to audit against a Center for Internet Security (CIS) Benchmark which is a set of recommendations for configuring Kubernetes to support a strong security posture. The Benchmark is tied to a specific Kubernetes release.", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"]}, {"capability_id": "binary_authorization", "capability_description": "Binary Authorization", "mapping_type": "technique_scores", "attack_object_id": "T1612", "attack_object_name": "Build Image on Host", "capability_group": "binary_authorization", "score_category": "protect", "score_value": "significant", "comments": "Each container image  generated has a signer digitally sign using a private key to generate the attestation report. At deploy time, the enforcer uses the attester's public key to verify the signature or will block this process.", "references": ["https://cloud.google.com/binary-authorization/docs/overview", "https://cloud.google.com/binary-authorization/docs/attestations"]}, {"capability_id": "gke_enterprise", "capability_description": "GKE Enterprise", "mapping_type": "technique_scores", "attack_object_id": "T1613", "attack_object_name": "Container and Resource Discovery", "capability_group": "gke_enterprise", "score_category": "protect", "score_value": "significant", "comments": "Adversaries may attempt to discover containers and other resources that are available within a containers environment. GKE Enterprise incorporates the Anthos Config Management \"Network Policies\" rule to control the network traffic inside clusters, denying direct remote access to internal systems through the use of network proxies, gateways, and firewalls", "references": ["https://cloud.google.com/kubernetes-engine/enterprise/docs"]}, {"capability_id": "google_kubernetes_engine", "capability_description": "Google Kubernetes Engine", "mapping_type": "technique_scores", "attack_object_id": "T1613", "attack_object_name": "Container and Resource Discovery", "capability_group": "google_kubernetes_engine", "score_category": "protect", "score_value": "partial", "comments": "By default, GKE nodes use Google's Container-Optimized OS to enhance the security of GKE clusters, including: Locked down firewall, read-only filesystem, limited user accounts, and disabled root login.", "references": ["https://cloud.google.com/kubernetes-engine/docs/concepts/access-control", "https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks#how_to_audit_benchmarks"]}, {"capability_id": "identity_and_access_management", "capability_description": "Identity and Access Management", "mapping_type": "technique_scores", "attack_object_id": "T1613", "attack_object_name": "Container and Resource Discovery", "capability_group": "identity_and_access_management", "score_category": "protect", "score_value": "minimal", "comments": "GCP Identity and Access Management allows admins to control access to Container Registry hosts with Cloud Storage permissions. Specific accounts can be assigned roles and Container Registry uses Cloud Storage buckets as the underlying storage for container images. This control can help mitigate  against adversaries that may attempt to discover resources including images and containers by controlling access to  images by granting permissions to the bucket for a registry.", "references": ["https://cloud.google.com/iam"]}, {"capability_id": "resource_manager", "capability_description": "Resource Manager", "mapping_type": "technique_scores", "attack_object_id": "T1613", "attack_object_name": "Container and Resource Discovery", "capability_group": "resource_manager", "score_category": "protect", "score_value": "partial", "comments": "Google Cloud Platform provides resource containers such as organizations, folders, and projects that allow one to group and hierarchically organize other GCP resources. This control may mitigate by denying direct remote access to internal systems through the use of network proxies, gateways, and firewalls from adversaries that may attempt to discover containers and other resources that are available within a containers environment.", "references": ["https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy"]}, {"capability_id": "vpc_service_controls", "capability_description": "VPC Service Controls", "mapping_type": "technique_scores", "attack_object_id": "T1619", "attack_object_name": "Cloud Storage Object Discovery", "capability_group": "vpc_service_controls", "score_category": "protect", "score_value": "partial", "comments": "This control may mitigate against discovery of cloud storage objects. This control is not able to protect metadata, such as cloud storage bucket names but can protect against discovery of the contents of a storage bucket. ", "references": ["https://cloud.google.com/vpc-service-controls/docs/overview"]}, {"capability_id": "assured_workloads", "capability_description": "Assured Workloads", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "assured_workloads", "comments": "Assured Workloads does not appear to provide specific mitigation for adversary behaviors. Rather, it focuses on enabling customers to apply other security controls in ways to support regulatory compliance. As a result, we have not mapped any ATT&CK techniques to this capability.", "references": ["https://cloud.google.com/security/products/assured-workloads"]}, {"capability_id": "cloud_logging", "capability_description": "Cloud Logging", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "cloud_logging", "comments": "This capability is considered not mappable because it does not provide mitigation of adversary techniques on its own. Some of the other security controls that this control maps to are Azure DNS Analytics, AWS CloudTrail, AWS S3, and AWS Audit Manager. The S3 server access logging feature was not mapped because it was deemed to be a data source that can be used with other detective controls rather than a security control in of itself.", "references": ["https://cloud.google.com/logging"]}, {"capability_id": "cloud_nat", "capability_description": "Cloud NAT", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "cloud_nat", "comments": "This capability does not appear to provide mitigation for any ATT&CK Techniques.", "references": ["https://cloud.google.com/nat/docs"]}, {"capability_id": "config_connector", "capability_description": "Config Connector", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "config_connector", "comments": "This capability was not mapped as it is not considered a security control but rather an alternative to deploying and managing Google Cloud.", "references": ["https://cloud.google.com/config-connector/docs/overview"]}, {"capability_id": "data_catalog", "capability_description": "Data Catalog", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "data_catalog", "comments": "This capability is not mapped because the Data Catalog service is not considered a security control capable of defending against MITRE's ATT&CK techniques, and would require the use of a secondary product, such as DLP, for cyber defense.", "references": ["https://cloud.google.com/data-catalog/docs"]}, {"capability_id": "deployment_manager", "capability_description": "Deployment Manager", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "deployment_manager", "comments": "This capability was not mapped because Deployment Manager does not provide a security capability as a stand-alone tool and would require a third party tool (e.g., Terraform) to mitigate attacks such as denial of service.", "references": ["https://cloud.google.com/deployment-manager/docs"]}, {"capability_id": "google_threat_intel", "capability_description": "Google Threat Intelligence", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "google_threat_intel", "comments": "This service provides visibility into threats. It does not provide direct mitigation of ATT&CK techniques.", "references": ["https://cloud.google.com/security/products/threat-intelligence"]}, {"capability_id": "hybrid_connectivity", "capability_description": "Hybrid Connectivity", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "hybrid_connectivity", "comments": "This is not a security capability on its own. Security capabilities that fall under the Hybrid Connectivity umbrella are mapped separately (e.g., Cloud VPN).", "references": ["https://cloud.google.com/hybrid-connectivity"]}, {"capability_id": "managed_microsoft_ad", "capability_description": "Managed Service for Microsoft Active Directory", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "managed_microsoft_ad", "comments": "This is an administrative service. It does not provide direct mitigation of ATT&CK techniques.", "references": ["https://cloud.google.com/security/products/managed-microsoft-ad/docs/overview"]}, {"capability_id": "mandiant_academy", "capability_description": "Mandiant Academy", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "mandiant_academy", "comments": "This is a service, not a technical capability. It does not directly provide mitigation of ATT&CK techniques.", "references": ["https://cloud.google.com/learn/security/mandiant-academy"]}, {"capability_id": "mandiant_cyber_consult", "capability_description": "Mandiant Cybersecurity Consulting", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "mandiant_cyber_consult", "comments": "This is a service, not a technical capability. It does not directly provide mitigation of ATT&CK techniques.", "references": ["https://cloud.google.com/security/consulting/mandiant-services"]}, {"capability_id": "mandiant_managed_defense", "capability_description": "Mandiant Managed Defense", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "mandiant_managed_defense", "comments": "This is a service, not a technical capability. It does not directly provide mitigation of ATT&CK techniques.", "references": ["https://cloud.google.com/security/products/managed-defense"]}, {"capability_id": "mandiant_ir_services", "capability_description": "Mandiant Incident Response Services", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "mandiant_ir_services", "comments": "This is a service, not a technical capability. It does not directly provide mitigation of ATT&CK techniques.", "references": ["https://cloud.google.com/security/consulting/mandiant-incident-response-services"]}, {"capability_id": "mandiant_security_validation", "capability_description": "Mandiant Security Validation", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "mandiant_security_validation", "comments": "This is a service, not a technical capability. It does not directly provide mitigation of ATT&CK techniques.", "references": ["https://cloud.google.com/security/products/mandiant-security-validation"]}, {"capability_id": "packet_mirroring", "capability_description": "Packet Mirroring", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "packet_mirroring", "comments": "This provides the functional ability to clone traffic, but is not considered a stand-alone security control as it requires a secondary security tool (e.g., IDS/IPS) to enable cyber defense and digital forensics.", "references": ["https://cloud.google.com/vpc/docs/packet-mirroring"]}, {"capability_id": "siemplify", "capability_description": "Siemplify", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "siemplify", "comments": "Siemplify primarily acts as a layer for alerts generated by other controls to be collected and trigger mitigation and remediation actions to be taken by other controls provided by the Google Cloud Platform. On its own, Siemplify does not provide mitigation of ATT&CK techniques and is considered non-mappable.", "references": ["https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/siemplify"]}, {"capability_id": "sw_supply_chain_security", "capability_description": "Software Supply Chain Security", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "sw_supply_chain_security", "comments": "This is not a security capability on its own. Security capabilities that fall under the Software Supply Chain Security umbrella are mapped separately (e.g., Assured OSS).", "references": ["https://cloud.google.com/security/solutions/software-supply-chain-security"]}, {"capability_id": "terraform_on_google_cloud", "capability_description": "Terraform on Google Cloud", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "terraform_on_google_cloud", "comments": "Terraform's primary function is to support the provisioning of Google resources with configuration management. While Terraform provides some security capabilities specific to Terraform processes (encryption between Terraform Clients, encrypting workspace variables, Isolation between Terraform executions and Cloud tenants) the capabilities do not necessarily mitigate threats across the entire organization. Therefore, this capablity has been identified as not mappable.", "references": ["https://cloud.google.com/docs/terraform"]}]}