Azure

Microsoft Azure is a widely used cloud computing platform provided by Microsoft. Azure offers a range of security capabilities to protect cloud data, applications, and infrastructure from threats. These mappings connect Azure security capabilities to adversary behaviors in MITRE ATT&CK®, providing Azure users with a comprehensive view of how native Azure security capabilities can be used to prevent, detect, and respond to prevalent cloud threats. As a result, Azure users can evaluate the effectiveness of native security controls against specific ATT&CK techniques and take a threat-informed approach to understand, prioritize, and mitigate adversary behaviors that are most important for their environment.

Azure Versions: 04.26.2025, 06.29.2021 ATT&CK Versions: 16.1, 8.2 ATT&CK Domain: Enterprise

Security Stack Mapping Methodology

SELECT VERSIONS

Azure Version

ATT&CK Version

ATT&CK Domain

Capability Groups

ID Capability Group Name Number of Mappings Number of Capabilities
alerts_for_windows_machines Alerts for Windows Machines 110 1
microsoft_sentinel Microsoft Sentinel 186 1
azure_private_link Azure Private Link 15 1
azure_dedicated_hsm Azure Dedicated HSM 8 1
azure_dns_alias_records Azure DNS Alias Records 2 1
alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB 3 1
file_integrity_monitoring File Integrity Monitoring 79 1
azure_backup Azure Backup 9 1
azure_policy Azure Policy 41 1
azure_vpn_gateway Azure VPN Gateway 7 1
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database 8 1
microsoft_antimalware_for_azure Microsoft Antimalware for Azure 21 1
azure_web_application_firewall Azure Web Application Firewall 12 1
azure_dns_analytics Azure DNS Analytics 10 1
just-in-time_vm_access Just-in-Time VM Access 8 1
azure_firewall Azure Firewall 30 1
alerts_for_dns Alerts for DNS 8 1
azure_key_vault Azure Key Vault 5 1
docker_host_hardening Docker Host Hardening 11 1
alerts_for_azure_network_layer Alerts for Azure Network Layer 11 1
azure_ddos_protection Azure DDoS Protection 7 1
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics 44 1
azure_role_based_access_control Azure Role-Based Access Control 22 1
azure_update_manager Azure Update Manager 14 1
defender_for_storage Microsoft Defender for Cloud: Defender for Storage 9 1
ai_threat_protection Microsoft Defender for Cloud: AI Threat Protection 4 1
defender_for_apis Microsoft Defender for Cloud: Microsoft Defender for APIs 4 1
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service 84 1
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations 46 1
alerts_for_linux_machines Alerts for Linux Machines 45 1
vulnerability_management Microsoft Defender for Cloud: Vulnerability Management 7 1
defender_for_containers Microsoft Defender for Containers 25 1
defender_for_open_source_databases Microsoft Defender for Open-Source Relational Databases 5 1
devops_security Microsoft Defender for Cloud: DevOps Security 9 1
defender_for_key_vault Microsoft Defender for Key Vault 3 1
defender_for_resource_manager Microsoft Defender for Resource Manager 11 1
azure_network_security_groups Azure Network Security Groups 42 1
defender_for_azure_sql_databases Microsoft Defender for Azure SQL Databases 7 1

All Mappings

This is a very large mapping. To reduce the size, we have only downloaded the first 550 of 972 mappings. Load all data (2.0 MB)

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
microsoft_sentinel Microsoft Sentinel detect minimal T1036 Masquerading
Comments
This control provides minimal to partial coverage of a minority of this technique's sub-techniques and a minority of its procedure examples, resulting in an overall score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1003 OS Credential Dumping
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1003.001 LSASS Memory
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which contains an implementation of Mimikatz to gather credentials from memory, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1016 System Network Configuration Discovery
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can acquire network configuration information including DNS servers and network proxies used by a host, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1016.001 Internet Connection Discovery
Comments
Microsoft Sentinel's ability to detect entities scanning the network configuration also covers the scanning of internet connections, providing a detection mechanism against this technique.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1018 Remote System Discovery
Comments
The Microsoft Sentinel Hunting "High reverse DNS count by host" and "Squid malformed requests" queries can indicate potentially malicious reconnaissance aimed at detecting network layout and the presence of network security devices. The Microsoft Sentinel Analytics "Several deny actions registered" query can identify patterns in Azure Firewall incidents, potentially indicating that an adversary is scanning resources on the network, at a default frequency of once per hour. Note that detection only occurs if the firewall prevents the scanning. The Microsoft Sentinel Analytics "Rare client observed with high reverse DNS lookup count" query can detect when a particular IP address performs an unusually high number of reverse DNS lookups and has not been observed doing so previously. The coverage for these queries is minimal resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1021 Remote Services
Comments
This control provides minimal to partial coverage for some of this technique's sub-techniques, resulting in an overall score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect partial T1021.001 Remote Desktop Protocol
Comments
The Microsoft Sentinel Hunting "anomalous RDP Activity" query can detect potential lateral movement employing RDP. The following Microsoft Sentinel Analytics queries can identify potentially malicious use of RDP: "Anomalous RDP Login Detections", "Multiple RDP connections from Single Systems", "Rare RDP Connections", and "RDP Nesting".
References
microsoft_sentinel Microsoft Sentinel detect minimal T1021.002 SMB/Windows Admin Shares
Comments
The Microsoft Sentinel Hunting "Anomalous Resource Access" query can identify potential lateral movement via use of valid accounts to access network shares (Windows Event 4624:3).
References
microsoft_sentinel Microsoft Sentinel detect minimal T1021.003 Distributed Component Object Model
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can utilize Invoke-DCOM to leverage remote COM execution for lateral movement, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1021.004 SSH
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which contains modules for executing commands over SSH as well as in-memory VNC agent injection, but does not address other procedures. Microsoft Sentinel Analytics also provides a "New internet-exposed SSH endpoints" query. The coverage for these queries is minimal resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1027 Obfuscated Files or Information
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can obfuscate commands using Invoke-Obfuscation, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1036.004 Masquerade Task or Service
Comments
The Microsoft Sentinel Hunting "Exes with double file extension and access summary" can identify malicious executable files that have been hidden as other file types.
References
microsoft_sentinel Microsoft Sentinel detect partial T1036.005 Match Legitimate Name or Location
Comments
The Microsoft Sentinel Hunting "Masquerading Files" and "Rare Process Path" queries can detect an adversary attempting to make malicious activity blend in with legitimate commands and files. The Microsoft Sentinel Hunting "Azure DevOps Display Name Changes" query can detect potentially maliicous changes to the DevOps user display name.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1040 Network Sniffing
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can be used to conduct packet capture on target hosts, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1041 Exfiltration Over C2 Channel
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can send data gathered from a target through a command and control channel, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect partial T1046 Network Service Discovery
Comments
The Microsoft Sentinel Analytics "High count of connections by client IP on many ports" query can detect when a given client IP has 30 or more ports used within a 10 minute window, which may indicate malicious scanning. The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect scanning via Empire, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1047 Windows Management Instrumentation
Comments
The Microsoft Sentinel Analytics "Gain Code Execution on ADFS Server via Remote WMI Execution" query can detect use of Windows Managemement Instrumentation on ADFS servers. The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect WMI use via Empire, but does not address other procedures. The coverage for these queries is minimal (specific to ADFS and Empire) resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1048 Exfiltration Over Alternative Protocol
Comments
This control provides minimal coverage for a minority of this technique's sub-techniques and does not cover all procedure examples, resulting in an overall score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
Comments
The following Microsoft Sentinel Hunting queries can identify potential exfiltration: "Abnormally long DNS URI queries" can identify potential exfiltration via DNS. "Multiple users email forwarded to same destination" and "Office Mail Forwarding - Hunting Version" can detect potential exfiltration via email. The Microsoft Sentinel Analytics "Multiple users email forwarded to same destination" query can detect potential exfiltration via email. The coverage for these queries is minimal resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1049 System Network Connections Discovery
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate the current network connections of a host, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1053 Scheduled Task/Job
Comments
This control provides minimal to partial coverage of a minority of this technique's sub-techniques, resulting in an overall score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect partial T1053.003 Cron
Comments
The Microsoft Sentinel Hunting "Editing Linux scheduled tasks through Crontab" query can detect potentially malicious modification of cron jobs.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1053.005 Scheduled Task
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can interact with the Windows task scheduler, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1055 Process Injection
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which contains multiple modules for injecting into processes, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1056 Input Capture
Comments
This control can identify two of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1056.001 Keylogging
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes keylogging capabilities for both Windows and Linux and contains modules that leverage API hooking to carry out tasks, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1056.004 Credential API Hooking
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes keylogging capabilities for both Windows and Linux and contains modules that leverage API hooking to carry out tasks, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1057 Process Discovery
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can find information about processes running on local and remote systems, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1059 Command and Scripting Interpreter
Comments
This control provides minimal coverage for most of this technique's sub-techniques, along with additional mappings for its procedure examples, resulting in an overall score of Minimal. The following Microsoft Sentinel Hunting queries can identify potentially malicious use of command and scripting interpreters that does not map directly to one/more sub-techniques: "Anomalous Code Execution" can identifyanomalous runCommand operations on virtual machines, "Azure CloudShell Usage" can identify potentially malicious use of CloudShell, "New processes observed in last 24 hours", "Rare processes run by Service accounts", and "Rare Custom Script Extension" can identify execution outliers that may suggest misuse. The following Microsoft Sentinel Analytics queries can identify potentially malicious use of command and scripting interpreters that does not map directly to one/more sub-techniques: "New CloudShell User" can identify potentially malicious use of CloudShell, "Rare and Potentially high-risk Office operations" can identify specific rare mailbox-related ccount and permission changes via execution.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1059.001 PowerShell
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which leverages PowerShell for the majority of its client-side agent tasks and can conduct PowerShell remoting. The coverage for these queries is minimal (specific to Empire) resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1059.003 Windows Command Shell
Comments
The Microsoft Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Microsoft Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious. The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which has modules for executing Windows Command Shell scripts. The Microsoft Sentinel Analytics "Base64 encoded Windows process command-lines" query can identify Base64 encoded PE files being launched via the command line.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1059.004 Unix Shell
Comments
The Microsoft Sentinel Hunting "Rare process running on a Linux host" query can identify uncommon shell usage that may be malicious.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1059.005 Visual Basic
Comments
The Microsoft Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Microsoft Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1059.006 Python
Comments
The Microsoft Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Microsoft Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1059.007 JavaScript
Comments
The Microsoft Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Microsoft Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1068 Exploitation for Privilege Escalation
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can exploit known system vulnerabilities, but does not explicitly address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1069 Permission Groups Discovery
Comments
This control provides minimal coverage for one of this technique's sub-techniques and only minimal coverage for its procedure examples, resulting in an overall score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1069.001 Local Groups
Comments
The Microsoft Sentinel Hunting "Enumeration of users and groups" query can identify potentially malicious group discovery through the use of the net tool.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1069.002 Domain Groups
Comments
The Microsoft Sentinel Hunting "Enumeration of users and groups" query can identify potentially malicious group discovery through the use of the net tool.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1070 Indicator Removal
Comments
This control provides specific minimal coverage for two of this technique's sub-techniques, without additional coverage of its procedure examples, resulting in an overall score of Minimal. The Microsoft Sentinel Analytics "Azure DevOps Agent Pool Created Then Deleted" query can detect specific suspicious activity for DevOps Agent Pool. This is close to this technique's File Deletion sub-technique, but not a complete match.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1070.001 Clear Windows Event Logs
Comments
The Microsoft Sentinel Hunting "Security Event Log Cleared" query can detect clearing of the security event logs, though not necessarily clearing of any arbitrary Windows event logs.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1070.006 Timestomp
Comments
The Microsoft Sentinel Hunting "Windows System Time changed on hosts" query can detect potential timestomping activities. The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which can timestomp files and/or payloads on a target machine to help them blend in.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1071 Application Layer Protocol
Comments
The Microsoft Sentinel Analytics "Malformed user agent" query can detect potential C2 or C2 agent activity. This control provides minimal to partial coverage for a minority of this technique's sub-techniques and only some of its procedure examples, resulting in an overall score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1071.001 Web Protocols
Comments
The following Microsoft Sentinel Analytics queries can identify potentially malicious use of web protocols: "Powershell Empire cmdlets seen in command line" can identify use of Empire, which can perform command and control over protocols like HTTP and HTTPS. "Request for single resource on domain" can identify patterns that suggest possible command and control beaconing. The coverage for these queries is minimal resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect partial T1071.004 DNS
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious use of DNS: "RareDNSLookupWithDataTransfer" [sic] can identify data transfer over DNS, though it is contingent on DNS traffic meeting the requirements to be considered rare. "Abnormally Long DNS URI queries" can identify suspicious DNS queries that may be indicative of command and control operations. "DNS - domain anomalous lookup increase", "DNS Full Name anomalous lookup increase", and "DNS lookups for commonly abused TLDs" can identify increases in domain lookups for a client IP and indicate malicious traffic or exfiltration of sensitive data.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1074 Data Staged
microsoft_sentinel Microsoft Sentinel detect minimal T1074.001 Local Data Staging
Comments
The Microsoft Sentinel Analytics "Malware in the recycle bin" query can detect local hidden malware.
References
microsoft_sentinel Microsoft Sentinel detect partial T1078 Valid Accounts
Comments
This control provides partial coverage for all of this technique's sub-techniques and a number of its procedures, resulting in an overall score of Partial.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1078.001 Default Accounts
Comments
The Microsoft Sentinel Hunting "Rare processes run by Service accounts" query can identify potential misuse of default accounts. Because this detection is specific to rare processes its coverage score is Minimal resulting in a Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect partial T1078.002 Domain Accounts
Comments
The following Microsoft Sentinel Hunting queries can identify potential compromise of domain accounts based on access attempts and/or account usage: "Suspicious Windows Login outside normal hours", "User account added or removed from security group by an unauthorized user", "User Account added to Built in Domain Local or Global Group", "User Login IP Address Teleportation", "User made Owner of multiple teams", "Tracking Privileged Account Rare Activity", "New Admin account activity which was not seen historically", "New client running queries", "New users running queries", "Non-owner mailbox login activity", "Powershell or non-browser mailbox login activity", "Rare User Agent strings", "Same IP address with multiple csUserAgent" which may indicate that an account is being used from a new device, "Rare domains seen in Cloud Logs" when accounts from uncommon domains access or attempt to access cloud resources, "Same User - Successful logon for a given App and failure on another App within 1m and low distribution", "Hosts with new logons", "Inactive or new account signins", "Long lookback User Account Created and Deleted within 10mins", "Anomalous Geo Location Logon", and "Anomalous Sign-in Activity". The following Microsoft Sentinel Analytics queries can identify potential compromise of domain accounts based on access attempts and/or account usage: "Anomalous User Agent connection attempt", "New UserAgent observed in last 24 hours" which may indicate that an account is being used from a new device, "Anomalous sign-in location by user account and authenticating application", "Anomalous login followed by Teams action", "GitHub Signin Burst from Multiple Locations", "Sign-ins from IPs that attempt sign-ins to disabled accounts", "Failed Host logons but success logon to AzureAD", and "Anomalous RDP Login Detections".
References
microsoft_sentinel Microsoft Sentinel detect partial T1078.003 Local Accounts
Comments
The following Microsoft Sentinel Hunting queries can identify potential compromise of local accounts based on access attempts and/or account usage: "Suspicious Windows Login outside normal hours", "User Login IP Address Teleportation", "User account added or removed from a security group by an unauthorized user", "User Account added to Built in Domain Local or Global Group", "User added to SQL Server SecurityAdmin Group", "User Role altered on SQL Server", "User made Owner of multiple teams", "Tracking Privileged Account Rare Activity", and "Anomalous Login to Devices". The following Microsoft Sentinel Analytics queries can identify potential compromise of local accounts based on access attempts and/or account usage: "User account enabled and disabled within 10 mins", "Long lookback User Account Created and Deleted within 10mins", "Explicit MFA Deny", "Hosts with new logons", "Inactive or new account signins", "Anomalous SSH Login Detection", and "Anomalous RDP Login Detections".
References
microsoft_sentinel Microsoft Sentinel detect partial T1078.004 Cloud Accounts
Comments
The following Microsoft Sentinel Hunting queries can identify potential compromise of cloud accounts: "New Admin account activity which was not seen historically", "New client running queries", "New users running queries", "User returning more data than daily average", "User Login IP Address Teleportation", "Non-owner mailbox login activity", "Powershell or non-browser mailbox login activity", "Rare User Agent strings" and "Same IP address with multiple csUserAgent" which may indicate that an account is being used from a new device, "Rare domains seen in Cloud Logs", "Same User - Successful logon for a given App and failure on another App within 1m and low distribution", "Anomalous Azure Active Directory Apps based on authentication location", "Anomalous Geo Location Logon", "Anomalous Sign-in Activity", "Azure Active Directory sign-in burst from multiple locations", and "Azure Active Directory signins from new locations". The following Microsoft Sentinel Analytics queries can identify potential compromise of cloud accounts: "Anomalous User Agent connection attempt" and "New UserAgent observed in last 24 hours", which may indicate that an account is being used from a new device which may belong to an adversary; "Anomalous sign-in location by user account and authenticating application", "GitHub Signin Burst from Multiple Locations", "GitHub Activites from a New Country", and "Sign-ins from IPs that attempt sign-ins to disabled accounts", which may indicate adversary access from atypical locations; "Azure Active Directory PowerShell accessing non-AAD resources", "Anomalous login followed by Teams action", "Login to AWS management console without MFA", and "Azure Active Directory PowerShell accessing non-AAD resources" which may indicate an adversary attempting to use a valid account to access resources from other contexts. The "Correlate Unfamiliar sign-in properties" query can further enhance detection of anomalous activity.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1080 Taint Shared Content
Comments
The Microsoft Sentinel Analytics "Potential Build Process Compromise" query can detect when source code files have been modified immediately after the build process has started. The Microsoft Sentinel Analytics "ADO Build Variable Modified by New User" query may indicate malicious modification to the build process to taint shared content. The coverage for these queries is minimal (specific to Azure DevOps) resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1082 System Information Discovery
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate host information like OS, architecture, applied patches, etc., but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1083 File and Directory Discovery
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes modules for finding files of interest on hosts and network shares, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1087 Account Discovery
Comments
This control provides specific forms of minimal coverage for half of this technique's sub-techniques, but does not address other procedures, resulting in an overall score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1087.001 Local Account
Comments
The Microsoft Sentinel Hunting "Enumeration of users and groups" query can identify potentially malicious account discovery through the use of the net tool. The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can acquire local and domain user account information, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1087.002 Domain Account
Comments
The Microsoft Sentinel Hunting "Enumeration of users and groups" query can identify potentially malicious account discovery through the use of the net tool. The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can acquire local and domain user account information, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1087.003 Email Account
Comments
The Microsoft Sentinel Analytics "Mail.Read Permissions Granted to Application" query can identify applications that may have been abused to gain access to mailboxes.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1090 Proxy
Comments
This control provides minimal coverage for one sub-technique of this technique, resulting in an overall coverage score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1090.003 Multi-hop Proxy
Comments
The Microsoft Sentinel Analytics "DNS events related to ToR proxies" query can identify potential use of Tor, though it provides only minimal coverage because it only covers a set of common domains and is easily bypassed via hardcoded IP addresses, redirection, etc.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1098 Account Manipulation
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious manipulation of accounts to increase or maintain access: "Azure DevOps - Guest users access enabled", "Azure DevOps - Additional Org Admin added", "Anomalous Activity Role Assignment", "Anomalous Role Assignment", and "Anomalous AAD Account Manipulation", which indicate expansion of accounts' access/privileges; "Bots added to multiple teams" which indicates workspace access granted to automated accounts. The following Microsoft Sentinel Analytics queries can identify potentially malicious manipulation of accounts to increase or maintain access: "Suspicious granting of permissions to an account" from a previously unobserved IP address, "External user added and removed in short timeframe" for Teams resources, "Account added and removed from privileged group", "User account added to built in domain local or global group", and "New user created and added to the built-in administrator group". "Multiple Password Reset by user" can detect potentially malicious iterative password resets.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1098.001 Additional Cloud Credentials
Comments
The Microsoft Sentinel Hunting "First access credential added to Application or Service Principal where no credential was present" query can identify potentially malicious changes to Service Principal credentials. The Microsoft Sentinel Analytics "Credential added after admin consented to Application" and "New access credential added to Application or Service Principal" queries can identify potentially malicious manipulation of additional cloud credentials.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1102 Web Service
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1102.002 Bidirectional Communication
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use Dropbox and GitHub for command and control, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect partial T1105 Ingress Tool Transfer
Comments
The Microsoft Sentinel Hunting "Crypto currency miners EXECVE" query can detect cryptocurrency mining software downloads through EXECVE. The following Microsoft Sentinel Analytics queries can identify potentiall malicious tool transfer: "Linked Malicious Storage Artifacts" may identify potential adversary tool downloads that are missed by anti-malware. "Powershell Empire cmdlets seen in command line" detects downloads via Empire. "New executable via Office FileUploaded Operations" can identify ingress of malicious code and attacker tools to Office services such as SharePoint and OneDrive, but with potential for high false positive rates from normal user upload activity.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1106 Native API
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes a variety of enumeration modules that have an option to use API calls to carry out tasks, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect partial T1110 Brute Force
Comments
This control includes partial detection coverage for most of this technique's sub-techniques on a periodic basis.
References
microsoft_sentinel Microsoft Sentinel detect partial T1110.001 Password Guessing
Comments
The "Summary of user logons by logon type" Microsoft Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement. The following Microsoft Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: "VIP account more than 6 failed logons in 10", "Multiple Failed Logon on SQL Server in Short time Span", "Permutations on logon attempts by UserPrincipalNames indicating potential brute force", "Potential IIS brute force", "Failed attempt to access Azure Portal", "Failed Login Attempt by Expired account", "Failed Logon Attempts on SQL Server", "Failed Logon on SQL Server from Same IPAddress in Short time Span", "Failed service logon attempt by user account with available AuditData", "Login attempt by Blocked MFA user", "Login spike with increase failure rate", "Attempts to sign-in to disabled accounts by IP address", "Attempts to sign-in to disabled accounts by account name", "Brute Force attack against Azure Portal", and "Anomalous Failed Logon" The following Microsoft Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: "Brute force attack against Azure Portal", "Password spray attack against Azure AD application", "Successful logon from IP and failure from a different IP", "Failed logon attempts in authpriv", "Failed AzureAD logons but success logon to host", "Excessive Windows logon failures", "Failed login attempts to Azure Portal", "Failed logon attempts by valid accounts within 10 mins", "Brute Force Attack against GitHub Account", "Distributed Password cracking attempts in AzureAD", "Potential Password Spray Attack" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, "Attempts to sign in to disabled accounts", "Sign-ins from IPs that attempt sign-ins to disabled accounts", "High count of failed logins by a user", "Hi count of failed attempts same client IP", "SSH - Potential Brute Force", and "SecurityEvent - Multiple authentication failures followed by success".
References
microsoft_sentinel Microsoft Sentinel detect partial T1110.003 Password Spraying
Comments
The "Summary of user logons by logon type" Microsoft Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement. The following Microsoft Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: "VIP account more than 6 failed logons in 10", "Multiple Failed Logon on SQL Server in Short time Span", "Permutations on logon attempts by UserPrincipalNames indicating potential brute force", "Potential IIS brute force", "Failed attempt to access Azure Portal", "Failed Login Attempt by Expired account", "Failed Logon Attempts on SQL Server", "Failed Logon on SQL Server from Same IPAddress in Short time Span", "Failed service logon attempt by user account with available AuditData", "Login attempt by Blocked MFA user", "Login spike with increase failure rate", "Attempts to sign-in to disabled accounts by IP address", "Attempts to sign-in to disabled accounts by account name", "Brute Force attack against Azure Portal", and "Anomalous Failed Logon" The following Microsoft Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: "Brute force attack against Azure Portal", "Password spray attack against Azure AD application", "Successful logon from IP and failure from a different IP", "Failed logon attempts in authpriv", "Failed AzureAD logons but success logon to host", "Excessive Windows logon failures", "Failed login attempts to Azure Portal", "Failed logon attempts by valid accounts within 10 mins", "Brute Force Attack against GitHub Account", "Distributed Password cracking attempts in AzureAD", "Potential Password Spray Attack" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, "Attempts to sign in to disabled accounts", "Sign-ins from IPs that attempt sign-ins to disabled accounts", "High count of failed logins by a user", "Hi count of failed attempts same client IP", "SSH - Potential Brute Force", and "SecurityEvent - Multiple authentication failures followed by success".
References
microsoft_sentinel Microsoft Sentinel detect partial T1110.004 Credential Stuffing
Comments
The "Summary of user logons by logon type" Microsoft Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement. The following Microsoft Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: "VIP account more than 6 failed logons in 10", "Multiple Failed Logon on SQL Server in Short time Span", "Permutations on logon attempts by UserPrincipalNames indicating potential brute force", "Potential IIS brute force", "Failed attempt to access Azure Portal", "Failed Login Attempt by Expired account", "Failed Logon Attempts on SQL Server", "Failed Logon on SQL Server from Same IPAddress in Short time Span", "Failed service logon attempt by user account with available AuditData", "Login attempt by Blocked MFA user", "Login spike with increase failure rate", "Attempts to sign-in to disabled accounts by IP address", "Attempts to sign-in to disabled accounts by account name", "Brute Force attack against Azure Portal", and "Anomalous Failed Logon" The following Microsoft Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: "Brute force attack against Azure Portal", "Password spray attack against Azure AD application", "Successful logon from IP and failure from a different IP", "Failed logon attempts in authpriv", "Failed AzureAD logons but success logon to host", "Excessive Windows logon failures", "Failed login attempts to Azure Portal", "Failed logon attempts by valid accounts within 10 mins", "Brute Force Attack against GitHub Account", "Distributed Password cracking attempts in AzureAD", "Potential Password Spray Attack" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, "Attempts to sign in to disabled accounts", "Sign-ins from IPs that attempt sign-ins to disabled accounts", "High count of failed logins by a user", "Hi count of failed attempts same client IP", "SSH - Potential Brute Force", and "SecurityEvent - Multiple authentication failures followed by success".
References
microsoft_sentinel Microsoft Sentinel detect minimal T1113 Screen Capture
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can capture screenshots on Windows, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1114 Email Collection
Comments
This control provides minimal coverage for all of this technique's sub-techniques, resulting in an overall score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1114.001 Local Email Collection
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which has the ability to collect emails on a target system. The coverage for these queries is minimal (specific to Empire) resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1114.002 Remote Email Collection
Comments
The Microsoft Sentinel Hunting "Suspect Mailbox Export on IIS/OWA" query can identify potential malicious exfiltration hosting via IIS. The Microsoft Sentinel Hunting "Host Exporting Mailbox and Removing Export" query can identify potential exfiltration of data from Exchange servers. The coverage for these queries is minimal resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1114.003 Email Forwarding Rule
Comments
The Microsoft Sentinel Hunting "Mail redirect via ExO transport rule" query can detect potentially malicious email redirection, but is limited to Exchange servers only.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1115 Clipboard Data
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can harvest clipboard data on Windows, but does not address other procedures or platforms.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1119 Automated Collection
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious automated collection: "Multiple large queries made by user" and "Query data volume anomolies" can identify that automated queries are being used to collect data in bulk. "New ServicePrincipal running queries" can indicate that an application is performing automated collection via queries. The following Microsoft Sentinel Analytics queries can identify potentially malicious automated collection: "Mass secret retrieval from Azure Key Vault" and "Azure Key Vault access TimeSeries anomaly" can detect a sudden increase in access counts, which may indicate that an adversary is dumping credentials via automated methods. "Users searching for VIP user activity" can identify potentially suspicious Log Analytics queries by users looking for a listing of 'VIP' activity. The coverage for these queries is minimal (applicable to specific technologies) resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1125 Video Capture
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can capture webcam data on Windows, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1127 Trusted Developer Utilities Proxy Execution
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1127.001 MSBuild
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use abuse trusted utilities including MSBuild.exe, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1134 Access Token Manipulation
Comments
This control provides minimal coverage of a minority of this technique's sub-techniques, but does not address other procedures, resulting in an overall score of Minimal. The Microsoft Sentinel Analytics "Azure DevOps Personal Access Token misuse" query can identify anomalous use of Personal Access Tokens, but does not map directly to any sub-techniques.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1134.002 Create Process with Token
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1134.005 SID-History Injection
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1135 Network Share Discovery
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can perform port scans from an infected host, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect partial T1136 Create Account
Comments
This control provides partial coverage for all of this technique's sub-techniques, resulting in an overall score of Partial.
References
microsoft_sentinel Microsoft Sentinel detect partial T1136.001 Local Account
Comments
The Microsoft Sentinel Hunting "New User created on SQL Server" query can detect a specific type of potentially malicious local account creation. The following Microsoft Sentinel Analytics queries can identify potentially malicious local account creation: "Summary of users created using uncommon/undocumented commandline switches" which can identify use of the net command to create user accounts, "User created by unauthorized user", "User Granted Access and associated audit activity" and "User Granted Access and Grants others Access" which may identify account creation followed by suspicious behavior, "User account created and deleted within 10 mins" which suggests an account may have existed only long enough to fulfill a malicious purpose, and "Powershell Empire cmdlets seen in command line" which can identify use of Empire, including for account creation.
References
microsoft_sentinel Microsoft Sentinel detect partial T1136.002 Domain Account
Comments
The following Microsoft Sentinel Analytics queries can identify potentially malicious domain account creation: "Summary of users created using uncommon/undocumented commandline switches" which can identify use of the net command to create user accounts, "User created by unauthorized user", "User Granted Access and associated audit activity" and "User Granted Access and Grants others Access" which may identify account creation followed by suspicious behavior, "User account created and deleted within 10 mins" which suggests an account may have existed only long enough to fulfill a malicious purpose, and "Powershell Empire cmdlets seen in command line" which can identify use of Empire, including for account creation.
References
microsoft_sentinel Microsoft Sentinel detect partial T1136.003 Cloud Account
Comments
The Microsoft Sentinel Hunting queries can identify potentially malicious cloud account creation: "External user added and removed in short timeframe" and "External user from a new organisation added" can identify the addition of new external Teams user accounts. The following Microsoft Sentinel Analytics queries can identify potentially malicious cloud account creation: "User Granted Access and created resources" which identifies a newly created user account gaining access and creating resources in Azure, and "New Cloud Shell User".
References
microsoft_sentinel Microsoft Sentinel detect minimal T1137 Office Application Startup
Comments
This control only provides minimal to partial coverage for a minority of this technique's sub-techniques and does not address all of its procedures, resulting in an overall score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect partial T1137.005 Outlook Rules
Comments
The following Microsoft Sentinel Analytics queries can identify potentially malicious use of Outlook rules: "Office policy tampering", "Malicious Inbox Rule" which can detect rules intended to delete emails that contain certain keywords (generally meant to warn compromised users about adversary behaviors), and "Mail redirect via ExO transport rule" (potentially to an adversary mailbox configured to collect mail).
References
microsoft_sentinel Microsoft Sentinel detect minimal T1137.006 Add-ins
Comments
The Microsoft Sentinel Hunting "Previously unseen bot or applicaiton added to Teams" [sic] query can detect the addition of a potentially malicious add-in, but is specific to Microsoft Teams.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1140 Deobfuscate/Decode Files or Information
Comments
The Microsoft Sentinel Hunting "New PowerShell Scripts encoded on the commandline" query can detect a specific type of obfuscated file. The Microsoft Sentinel Analytics "Process executed from binary hidden in Base64 encoded file" query can use security event searches to detect decoding by Python, bash/sh, and Ruby. The coverage for these queries is minimal (e.g. base64, PowerShell) resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1190 Exploit Public-Facing Application
Comments
The Microsoft Sentinel Hunting "Potential IIS code injection attempt" query can detect some potential injection attacks against public-facing applications. The Microsoft Sentinel Analytics "A potentially malicious web request was executed against a web server" query can detect a high ratio of blocked requests and unobstructed requests to a Web Application Firewall (WAF) for a given client IP and hostnam. The coverage for these queries is minimal (e.g. IIS) resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1195 Supply Chain Compromise
Comments
This control provides partial coverage for one of this technique's sub-techniques, and its coverage is more for supply chain concerns of downstream consumers of software developed within the environemnt than the Azure environment itself, resulting in an overall score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect partial T1195.001 Compromise Software Dependencies and Development Tools
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious changes to Azure DevOps project resources: "Azure DevOps - Project Visibility changed to public" can identify a specific action that may be an indicator of an attacker modifying the cloud compute infrastructure. "Azure DevOps - Public project created" and "Azure DevOps - Public project enabled by admin" can identify specific instances of potential defense evasion. The following Microsoft Sentinel Analytics queries can identify potentially malicious changes to Azure DevOps project resources: "AzureDevops Service Connection Abuse" can detect potential malicious behavior associated with use of large number of service connections, "External Upstream Source added to Azure DevOps" identifies a specific behavior that could compromise the DevOps build pipeline, "Azure DevOps Pull Request Policy Bypassing - History" can identify specific potentially malicious behavior that compromises the build process, "Azure DevOps Pipeline modified by a New User" identifies potentially malicious activity that could compromise the DevOps pipeline, "Azure DevOps Administrator Group Monitoring" monitors for specific activity which could compromise the build/release process, "New Agent Added to Pool by New User or a New OS" can detect a suspicious behavior that could potentially compromise DevOps pipeline.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1210 Exploitation of Remote Services
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes built-in modules for exploiting remote SMB, JBoss, and Jenkins servers, but does not address other procedures. The Microsoft Sentinel Analytics "Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task" query can detect when an adversary gains execution capability on an ADFS server through SMB and Remote Service or Scheduled Task.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1213 Data from Information Repositories
Comments
This control provides partial detection coverage for only this technique's SharePoint sub-technique. The Microsoft Sentinel Hunting "Cross workspace query anomaly" query can identify potential adversary information collection (in this case from Azure ML workspaces), but does not map directly to any sub-techniques.
References
microsoft_sentinel Microsoft Sentinel detect partial T1213.002 Sharepoint
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious access to SharePoint: "SharePointFileOperation via clientIP with previously unseen user agents", "SharePointFileOperation via devices with previously unseen user agents", and "SharePointFileOperation via previously unseen IPs". The Microsoft Sentinel Analytics "SharePointFileOperation via devices with previously unseen user agents" query can identify a high number of upload or download actions by an unknown and possible malicious actor.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1217 Browser Information Discovery
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which has the ability to gather browser data including bookmarks and history, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1482 Domain Trust Discovery
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate domain trusts, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect partial T1484 Domain or Tenant Policy Modification
Comments
This control provides minimal to partial coverage of both of this technique's sub-techniques, resulting in an overall score of Partial.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1484.001 Group Policy Modification
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can modify group policy objects to install and execute malicious scheduled tasks, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect partial T1484.002 Trust Modification
Comments
The Microsoft Sentinel Analytics "Modified Domain Federation Trust Settings" query can detect potentially malicious changes to domain trust settings.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1485 Data Destruction
Comments
The Microsoft Sentinel Hunting "Multiple Teams deleted by a single user" query can detect when a threshold is met for number of Teams deleted within an hour. Coverage is minimal because the control is limited to a specific resource (teams) and only works when the threshold is met. The Microsoft Sentinel Analytics "Multiple Teams deleted by a single user" query can detect when a threshold is met for number of Teams deleted within an hour. Coverage is minimal because the control is limited to a specific resource (teams) and only works when the threshold is met.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1486 Data Encrypted for Impact
Comments
The Microsoft Sentinel Analytics "Sensitive Azure Key Vault Operations" query can identify potential attacker activity intended to delete private key(s) required to decrypt content.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1490 Inhibit System Recovery
Comments
The Microsoft Sentinel Analytics "Sensitive Azure Key Vault Operations" query can identify potential attacker activity intended to interfere with backups.
References
microsoft_sentinel Microsoft Sentinel detect partial T1496 Resource Hijacking
Comments
The following Microsoft Sentinel Hunting queries can identify potential resource hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources". The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1505 Server Software Component
Comments
This control provides partial coverage for only one of this technique's sub-techniques, resulting in overall coverage of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect partial T1505.003 Web Shell
Comments
The Microsoft Sentinel Hunting "Web shell command alert enrichment", "Web shell Detection", and "Web shell file alert enrichment" queries can identify potentially malicious activity via web shell.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1518 Software Discovery
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1518.001 Security Software Discovery
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate antivirus software on the target, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1528 Steal Application Access Token
Comments
The Microsoft Sentinel Hunting "Consent to Application discovery" query can identify recent permissions granted by a user to a particular app.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1530 Data from Cloud Storage
Comments
The Microsoft Sentinel Hunting "Anomalous Data Access" query identifies all users performing out-of-profile read operations regarding data or files, which may be indicative of adversarial collection from cloud storage objects.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1531 Account Access Removal
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious behavior on user accounts: "AD Account Lockout", "Anomalous Password Reset", "SQL User deleted from Database", "User removed from SQL Server Roles", and "User removed from SQL Server SecurityAdmin Group". The Microsoft Sentinel Analytics "Sensitive Azure Key Vault operations" query can identify attempts to remove account access by deleting keys or entire key vaults.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1535 Unused/Unsupported Cloud Regions
Comments
The Microsoft Sentinel Analytics "Suspicious Resource deployment" query can identify adversary attempts to maintain persistence or evade defenses by leveraging unused and/or unmonitored resources.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1543 Create or Modify System Process
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1543.003 Windows Service
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can modify service binaries and restore them to their original states, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1546 Event Triggered Execution
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1546.008 Accessibility Features
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can leverage WMI debugging to remotely replace binaries like seth.exe, utilman.exe, and magnify.exe with cmd.exe, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1547 Boot or Logon Autostart Execution
Comments
This control can identify three of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1547.001 Registry Run Keys / Startup Folder
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1547.005 Security Support Provider
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1547.009 Shortcut Modification
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1548 Abuse Elevation Control Mechanism
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1548.002 Bypass User Account Control
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes various modules to attempt to bypass UAC for privilege escalation, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1550 Use Alternate Authentication Material
Comments
This control provides minimal coverage of half of this technique's sub-techniques, without additional coverage of procedure examples, resulting in an overall score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1550.001 Application Access Token
Comments
The Microsoft Sentinel Analytics "Azure DevOps - PAT used with Browser." query can identify potentially malicious usage of Personal Access Tokens intended for code or applications to be used through the web browser.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1550.002 Pass the Hash
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can perform pass the hash attacks, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1552 Unsecured Credentials
Comments
This control provides minimal to partial coverage for a minority of this technique's sub-techniques, resulting in an overall detection score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1552.001 Credentials In Files
Comments
The Microsoft Sentinel Hunting "Query looking for secrets" query can identify potentially malicious database requests for secrets like passwords or other credentials. The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use various modules to search for files containing passwords, but does not address other procedures. The coverage for these queries is minimal resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1552.004 Private Keys
Comments
The Microsoft Sentinel Analytics "ADFS DKM Master Key Export" and "ADFS Key Export (Sysmon)" queries can detect potentially malicious access intended to decrypt access tokens. The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use modules to extract private key and session information, but does not address other procedures. The coverage for these queries is minimal (specific to Empire, ADFS) resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1552.007 Container API
microsoft_sentinel Microsoft Sentinel detect minimal T1555 Credentials from Password Stores
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1555.003 Credentials from Web Browsers
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can extract passwords from common web browsers including Firefox and Chrome, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1556 Modify Authentication Process
Comments
The Microsoft Sentinel Hunting "Azure DevOps Conditional Access Disabled" query can identify potentially malicious modifications of the DevOps access policy. The Microsoft Sentinel Analytics "MFA disabled for a user" and "GitHub Two Factor Auth Disable" queries can detect potentially malicious changes in multi-factor authentication settings.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1557 Adversary-in-the-Middle
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1558 Steal or Forge Kerberos Tickets
Comments
This control only provides minimal to partial coverage for some this technique's sub-techniques, resulting in an overall score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1558.001 Golden Ticket
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect execution of these sub-techniques via Empire, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1558.002 Silver Ticket
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect execution of these sub-techniques via Empire, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect partial T1558.003 Kerberoasting
Comments
Microsoft Sentinel Analytics includes a "Potential Kerberoasting" query. Kerberoasting via Empire can also be detected using the Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1560 Archive Collected Data
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can ZIP directories on target systems, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1562 Impair Defenses
Comments
This control provides minimal (mostly) to partial coverage for most of this technique's sub-techniques, resulting in an overall score of Minimal. The Microsoft Sentinel Hunting "Anomalous Defensive Mechanism Modification" query detects users performing delete operations on security policies, which may indicate an adversary attempting to impair defenses.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1562.001 Disable or Modify Tools
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious modifications to Sentinel resources: "Microsoft Sentinel Analytics Rules Administrative Operations", "Microsoft Sentinel Connectors Administrative Operations", and "Microsoft Sentinel Workbooks Administrative Operations". The Microsoft Sentinel Analytics "Starting or Stopping HealthService to Avoid Detection" query can detect potentially malicious disabling of telemetry collection/detection. The coverage for these queries is minimal resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1562.002 Disable Windows Event Logging
Comments
The Microsoft Sentinel Analytics "Audit policy manipulation using auditpol utility" query can detect potentially malicious to modification and/or disabling of logging via the auditpol utility. The coverage for these queries is minimal (specific to Audit policy) resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1562.006 Indicator Blocking
Comments
The Microsoft Sentinel Hunting "Microsoft Sentinel Analytics Rules Administrative Operations" query can identify potential attempts to impair defenses by changing or deleting detection analytics. The Microsoft Sentinel Analytics "Azure DevOps - Retention Reduced to Zero" query can identify that an adversary is looking to reduce their malicious activity's footprint by preventing retention of artifacts. Control is specific to indicators produced by Azure DevOps. The coverage for these queries is minimal resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect partial T1562.007 Disable or Modify Cloud Firewall
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious modifications to cloud firewall resources: "Azure Network Security Group NSG Administrative Operations" query can identify potential defensive evasion involving changing or disabling network access rules. "Port opened for an Azure Resource" may indicate an adversary increasing the accessibility of a resource for easier collection/exfiltration. The Microsoft Sentinel Analytics "Security Service Registry ACL Modification" query can detect attempts to modify registry ACLs, potentially done to evade security solutions.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1562.008 Disable or Modify Cloud Logs
Comments
The Microsoft Sentinel Analytics "Exchange AuditLog disabled" query can detect potentially malicious disabling of Exchange logs. The Microsoft Sentinel Analytics "Azure DevOps Audit Stream Disabled" query can identify disabling of Azure DevOps log streaming. The coverage for these queries is minimal (specific to these technologies) resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1567 Exfiltration Over Web Service
Comments
This control provides minimal coverage to both of this technique's sub-techniques as well as some of its procedure examples, resulting in an overall score of Minimal. The Microsoft Sentinel Analytics "Malformed user agent" query can detect potential exfiltration over a web service by malicious code with a hard-coded user agent string, or possibly data encoded via the user agent string.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1567.001 Exfiltration to Code Repository
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Microsoft Sentinel Analytics "SharePointFileOperation via previously unseen IPs" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1567.002 Exfiltration to Cloud Storage
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Microsoft Sentinel Analytics "SharePointFileOperation via previously unseen IPs" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1568 Dynamic Resolution
Comments
This control only provides partial coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect partial T1568.002 Domain Generation Algorithms
Comments
The Microsoft Sentinel Hunting "Potential DGA detected" query can detect clients with a high NXDomain count, which might indicate an adversary cycling through possible C2 domains where most C2s are not live. The following Microsoft Sentinel Analytics queries can identify potential use of domain generation algorithms: "Possible contact with a domain generated by a DGA" and "Potential DGA detected" within DNS.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1569 System Services
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1569.002 Service Execution
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use PsExec to execute a payload on a remote host, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1573 Encrypted Channel
Comments
This control provides minimal coverage for one sub-technique of this technique, resulting in an overall coverage score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1573.002 Asymmetric Cryptography
Comments
The following Microsoft Sentinel Analytics queries can detect potentially malicious usage of asymmetric cryptography channels: "DNS events related to ToR proxies" can identify potential use of Tor, though it provides only minimal coverage because it only covers a set of common domains and is easily bypassed via hardcoded IP addresses, redirection, etc. "Powershell Empire cmdlets seen in command line" can identify use of Empire, which can use TLS to encrypt a command and control channel.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1574 Hijack Execution Flow
Comments
This control can identify several of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1574.001 DLL Search Order Hijacking
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1574.007 Path Interception by PATH Environment Variable
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1574.008 Path Interception by Search Order Hijacking
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1574.009 Path Interception by Unquoted Path
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1578 Modify Cloud Compute Infrastructure
Comments
The Microsoft Sentinel Hunting "Azure Resources assigned Public IP addresses" query detect suspicious IP address changes.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1580 Cloud Infrastructure Discovery
Comments
The Microsoft Sentinel Hunting "Azure storage key enumeration" query can identify potential attempts by an attacker to discover cloud infrastructure resources.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1590 Gather Victim Network Information
Comments
This control detects a highly specific behavior that applies to one sub-technique of this technique.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1590.002 DNS
Comments
The Microsoft Sentinel Analytics "Rare client observed with high reverse DNS lookup count" query can detect if a particular IP is observed performing an unusually high number of reverse DNS lookups and has not been observed doing so previously.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1595 Active Scanning
Comments
The Microsoft Sentinel Analytics "Malformed user agent" query can detect hard-coded user-agent strings associated with some vulnerability scanning tools. This control provides partial coverage for only one of this technique's sub-techniques, resulting in an overall score of Minimal.
References
microsoft_sentinel Microsoft Sentinel detect partial T1595.002 Vulnerability Scanning
Comments
The Microsoft Sentinel Analytics "High count of connections by client IP on many ports" query can identify client IP addresses with 30 or more active ports used within a ten minute window, checked at a default frequency of once per hour, which may indicate scanning. Note that false positives are probable based on changes in usage patterns and/or misconfiguration, and this detection only works if scanning is not spread out over a longer timespan.
References
microsoft_sentinel Microsoft Sentinel detect partial T1016.002 Wi-Fi Discovery
Comments
Microsoft Sentinel's ability to detect entities scanning the network configuration also covers the scanning of Wi-Fi connections, providing a detection mechanism against this technique.
References
microsoft_sentinel Microsoft Sentinel detect partial T1021.007 Cloud Services
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can acquire network configuration information including DNS servers and network proxies used by a host, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect partial T1021.008 Direct Cloud VM Connections
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can acquire network configuration information including DNS servers and network proxies used by a host, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect partial T1059.010 AutoHotKey & AutoIT
Comments
Microsoft Sentinel can potentially detect the use of malicious code, including automation scripts.
References
microsoft_sentinel Microsoft Sentinel detect partial T1059.011 Lua
Comments
Microsoft Sentinel can potentially detect the use of malicious code, including Lua scripts.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1070.010 Relocate Malware
Comments
Microsoft Sentinel's ability to detect suspicious activity could detect malware relocation occurring on a system or network.
References
microsoft_sentinel Microsoft Sentinel detect partial T1071.005 Publish/Subscribe Protocols
Comments
Microsoft Sentinel can ingest pub/sub logs to determine if pub/sub protocol channels have been used for malicious activity. However, these determinations are met using a set of threat detection rules, meaning that adversaries who are able to skirt those rules may not be detected, leading to a partial rating.
References
microsoft_sentinel Microsoft Sentinel detect partial T1496.001 Compute Hijacking
Comments
The following Microsoft Sentinel Hunting queries can identify potential compute hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources". The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.
References
microsoft_sentinel Microsoft Sentinel detect partial T1496.002 Bandwidth Hijacking
Comments
The following Microsoft Sentinel Hunting queries can identify potential compute hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources". The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.
References
microsoft_sentinel Microsoft Sentinel detect partial T1496.003 SMS Pumping
Comments
The following Microsoft Sentinel Hunting queries can identify potential compute hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources". The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.
References
microsoft_sentinel Microsoft Sentinel detect partial T1496.004 Cloud Service Hijacking
Comments
The following Microsoft Sentinel Hunting queries can identify potential resource hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources". The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1543.005 Container Service
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can modify service binaries and restore them to their original states, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1547.013 XDG Autostart Entries
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1547.014 Active Setup
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1547.015 Login Items
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.
References
microsoft_sentinel Microsoft Sentinel detect minimal T1648 Serverless Execution
Comments
Integrating Azure Functions with Azure Monitor Logs and Microsoft Sentinel can provide insights into Serverless Execution activities and unusual Serverless function modifications.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage detect significant T1078.004 Cloud Accounts
Comments
This control may generate alerts based on unfamiliar or suspicious IP addresses, TOR exit node, and anonymous access.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage detect significant T1530 Data from Cloud Storage
defender_for_storage Microsoft Defender for Cloud: Defender for Storage respond partial T1105 Ingress Tool Transfer
Comments
When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage respond partial T1080 Taint Shared Content
Comments
When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage detect partial T1537 Transfer Data to Cloud Account
Comments
This control may alert on unusually large amounts of data being extracted from Azure storage and suspicious access to storage accounts. There are no alerts specifically tied to data transfer between cloud accounts but there are several alerts for anomalous storage access and transfer.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage detect partial T1105 Ingress Tool Transfer
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage detect partial T1080 Taint Shared Content
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage detect minimal T1485 Data Destruction
Comments
This control may generate alerts when there has been an unusual or unexpected delete operation within Azure cloud storage. Alerts may not be generated by disabling of storage backups, versioning, or editing of storage objects.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage detect minimal T1078 Valid Accounts
Comments
This control provides minimal detection for its procedure examples. Additionally, it is able to detect only one of its sub-techniques (Cloud Accounts) resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1003 OS Credential Dumping
Comments
Most credential dumping operations do not require modifying resources that can be detected by this control (i.e. Registry and File system) and therefore its coverage is minimal.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1098 Account Manipulation
Comments
This control can detect account manipulation.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1137 Office Application Startup
Comments
This control can detect peristence via office application startup.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1546.010 AppInit DLLs
Comments
The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1546.015 Component Object Model Hijacking
Comments
The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1548 Abuse Elevation Control Mechanism
Comments
This control can detect abuse of elevation control mechanisms.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1548.002 Bypass User Account Control
Comments
Some UAC bypass methods rely on modifying specific, user-accessible Registry settings that can be monitored using this control. Overall, there are numerous other bypass methods that do not result in Registry modification that this control will not be effective in detection resulting in a low detection coverage factor.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1562 Impair Defenses
Comments
Due to low detection coverage, this technique is scored as minimal.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1562.001 Disable or Modify Tools
Comments
This control can be used to monitor Registry keys related to security software or event logging processes that can detect when an adversary attempts to disable these tools via modifying or deleting Registry keys. A majority of the cited procedure examples for this sub-technique are related to killing security processes rather than modifying the Registry, and therefore the detection coverage for this control is low.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1562.004 Disable or Modify System Firewall
Comments
There are numerous ways depending on the operating system that these sub-techniques can be accomplished. Monitoring the Windows Registry is one way depending on the procedure chosen to implement the sub-technique and therefore the overall coverage is low.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1562.006 Indicator Blocking
Comments
There are numerous ways depending on the operating system that these sub-techniques can be accomplished. Monitoring the Windows Registry is one way depending on the procedure chosen to implement the sub-technique and therefore the overall coverage is low.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1574 Hijack Execution Flow
Comments
This control can detect hijacked execution flow.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1003.001 LSASS Memory
Comments
This control can be used to detect the Windows Security Support Provider (SSP) DLLs variation of this sub-technique by monitoring the Registry keys used to register these DLLs. These keys should change infrequently and therefore false positives should be minimal.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1036.007 Double File Extension
Comments
This control can detect when files with two file extensions are created.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1036.008 Masquerade File Type
Comments
This control can detect if files are created or edited where the header and extension do not match.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1037 Boot or Logon Initialization Scripts
Comments
This control can detect abuse of boot or logon initialization scripts.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1037.001 Logon Script (Windows)
Comments
This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1037.003 Network Logon Script
Comments
This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1053.001 At (Linux)
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1053.002 At
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1053.003 Cron
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1053.005 Scheduled Task
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1053.006 Systemd Timers
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1070.007 Clear Network Connection History and Configurations
Comments
This control can detect changes to files associated with this technique.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1070.008 Clear Mailbox Data
Comments
This control can detect changes to files associated with this technique.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1070.009 Clear Persistence
Comments
This control can detect changes to files associated with this technique.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1070.010 Relocate Malware
Comments
This control can detect changes to files associated with this technique.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1098.004 SSH Authorized Keys
Comments
This control may detect changes to the SSH authorized keys file which may indicate establishment of persistence. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1137.002 Office Test
Comments
This control may detect changes to the Windows registry to establish persistence with the Office Test sub-technique. The specificity of registry keys involved may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1222 File and Directory Permissions Modification
Comments
This control can detect file and directory permissions modification.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1222.001 Windows File and Directory Permissions Modification
Comments
This control can detect changes to the permissions of Windows and Linux files and can be used to detect modifications to sensitive directories and files that shouldn't change frequently. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1222.002 Linux and Mac File and Directory Permissions Modification
Comments
This control can detect changes to the permissions of Windows and Linux files and can be used to detect modifications to sensitive directories and files that shouldn't change frequently. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1505.004 IIS Components
Comments
This control can detect when files associated with the technique are created or modified, such as %windir%\system32\inetsrv\config\applicationhost.config.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1505.005 Terminal Services DLL
Comments
This control can detect when files or registry keys associated with this technique are created or modified, such as termsrv.dll and ServiceDll.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1543 Create or Modify System Process
Comments
This control can detect creation or modification of system-level processes.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1543.002 Systemd Service
Comments
This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1543.003 Windows Service
Comments
This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546 Event Triggered Execution
Comments
The detection score for this technique was assessed as Partial because it doesn't detect some of the sub-techniques of this technique such as Windows Management Instrumentation (WMI) Event Subscription and Trap sub-techniques. Additionally for some sub-techniques, this control can be noisy.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.001 Change Default File Association
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.002 Screensaver
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.004 Unix Shell Configuration Modification
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.007 Netsh Helper DLL
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.008 Accessibility Features
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.009 AppCert DLLs
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.011 Application Shimming
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.012 Image File Execution Options Injection
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.013 PowerShell Profile
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.016 Installer Packages
Comments
This control can detect event triggered execution via installer packages.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.017 Udev Rules
Comments
This control can detect event triggered execution via udev rules.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547 Boot or Logon Autostart Execution
Comments
This control can detect boot or logon autostart execution.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.001 Registry Run Keys / Startup Folder
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.002 Authentication Package
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.003 Time Providers
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.004 Winlogon Helper DLL
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.005 Security Support Provider
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.006 Kernel Modules and Extensions
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.008 LSASS Driver
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.009 Shortcut Modification
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.010 Port Monitors
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.012 Print Processors
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.014 Active Setup
Comments
This control can detect commands or registry key modifications associated with Active Setup such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1548.003 Sudo and Sudo Caching
Comments
This control may detect changes to the sudoers file which may indicate privilege escalation. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1553 Subvert Trust Controls
Comments
This control can be used to detect a subset of this technique's sub-techniques while minimizing the false positive rate.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1553.003 SIP and Trust Provider Hijacking
Comments
This control can detect modifications made to the Registry keys used to register Windows Subject Interface Packages (SIPs). Because this sub-technique can be accomplished without modifying the Registry via DLL Search Order Hijacking, it has been scored as Partial. The related Registry keys should not change often and therefore the false positive rate should be minimal. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1553.004 Install Root Certificate
Comments
This control can be used to detect when the system root certificates has changed by detecting the corresponding Registry or File system modifications that occur as a result. These root certificates should not change often and therefore the false positive rate is minimal. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1556 Modify Authentication Process
Comments
This control is effective for detecting the Registry and file system artifacts that are generated during the execution of some variations of this technique while minimizing false positives due to the locations being monitored changing infrequently (e.g. /etc/pam.d/).
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1556.002 Password Filter DLL
Comments
The Registry key used to register a Password Filter DLL can be monitored for changes using this control providing substantial coverage of this sub-technique. This key should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1556.003 Pluggable Authentication Modules
Comments
The PAM configuration and module paths (/etc/pam.d/) can be monitored for changes using this control. The files in this path should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1556.007 Hybrid Identity
Comments
This control can monitor for suspicious modification of files associated with hybrid identity authentication processes, such as configuration files.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1556.008 Network Provider DLL
Comments
This control can monitor for creation or changes to registry keys associated with network provider DLL such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\NetworkProvider and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1564.008 Email Hiding Rules
Comments
This control can detect when files are modified related to email rules such as RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist on MacOS.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1564.009 Resource Forking
Comments
This control can detect when files are created or modified related to resource forking.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1564.012 File/Path Exclusions
Comments
This control can detect when files are created in folders associated with or spoofing that of trusted applications.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1574.006 Dynamic Linker Hijacking
Comments
This control may detect changes to the ld.so.preload file which may indicate an attempt to hijack execution flow. This sub-technique may also be utilized through an environment variable which this control may not detect. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1574.007 Path Interception by PATH Environment Variable
Comments
This control can detect file changes on VMs indicative of Path Interception by PATH Environment Variable.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1574.008 Path Interception by Search Order Hijacking
Comments
This control can detect file changes on VMs indicative of Path Interception by Search Order Hijacking.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1574.009 Path Interception by Unquoted Path
Comments
This control can detect file changes on VMs indicative of Path Interception by Unquoted Path.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1574.014 AppDomainManager
Comments
This control can detect file changes on VMs indicative of hijacking of the AppDomainManager.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect significant T1053 Scheduled Task/Job
Comments
This control can detect scheduled tasks/jobs.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening detect minimal T1525 Implant Internal Image
Comments
This control may alert on Docker containers that are misconfigured or do not conform to CIS Docker Benchmarks. This may result in detection of container images implanted within Linux VMs with specific vulnerabilities or misconfigurations for malicious purposes.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1005 Data from Local System
Comments
This control may provide recommendations that limit the ability of an attacker to gain access to a host from a container, preventing the attacker from discovering and compromising local system data.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1021 Remote Services
Comments
This control can protect against abuse of remote services.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1021.004 SSH
Comments
This control may provide recommendations to ensure sshd is not running within Docker containers. This can prevent attackers from utilizing unmonitored SSH servers within containers. This may not prevent attackers from installing a SSH server in containers or hosts.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1040 Network Sniffing
Comments
This control may recommend usage of TLS to encrypt communication between the Docker daemon and clients. This can prevent possible leakage of sensitive information through network sniffing.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1068 Exploitation for Privilege Escalation
Comments
This control may provide recommendations on how to reduce the surface area and mechanisms by which an attacker could escalate privileges.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1083 File and Directory Discovery
Comments
This control may provide recommendations to ensure sensitive host system directories are not mounted in the container.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1548 Abuse Elevation Control Mechanism
Comments
This control is only relevant for Linux endpoints containing Docker containers.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1548.001 Setuid and Setgid
Comments
This control may provide recommendations to remove setuid and setguid permissions from container images. It may not be feasible to audit and remediate all binaries that have and require setuid and setguid permissions.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect partial T1021.007 Cloud Services
Comments
This control can protect against abuse of remote cloud services.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect partial T1021.008 Direct Cloud VM Connections
Comments
This control can protect against abuse of direct cloud VM connections.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect partial T1098 Account Manipulation
devops_security Microsoft Defender for Cloud: DevOps Security protect partial T1098.001 Additional Cloud Credentials
Comments
This capability can protect against creation of additional cloud credentials by requiring DevOps best practices.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect partial T1213.003 Code Repositories
Comments
This control can protect against repository misconfigurations.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect partial T1552.007 Container API
Comments
This capability can protect against unsecured Container API credentials by ensuring credential security is part of the DevOps process.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect partial T1557 Adversary-in-the-Middle
Comments
This capability can protect against adversary-in-the-middle attacks by ensuring encryption is baked into the DevOps process of applications.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect partial T1564.009 Resource Forking
Comments
This control can provide DevOps guidance that applications should use the application bundle structure which leverages the /Resources folder location to mitigate resource forking.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect partial T1593.003 Code Repositories
Comments
This control can protect code repositories by employing DevSecOps best practices.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect significant T1189 Drive-by Compromise
Comments
This capability can protect against drive by compromise by ensuring application security is baked into DevOps.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect significant T1190 Exploit Public-Facing Application
Comments
This capability can protect against exploitation of public facing applications by ensuring application security is baked into DevOps.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1078 Valid Accounts
Comments
This control only provides alerts for a set of Azure database offerings. Databases that have been deployed to endpoints within Azure or third-party databases deployed to Azure do not generate alerts for this control.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110 Brute Force
Comments
This control covers the majority of sub-techniques for this parent technique and may cover both successful and unsuccessful brute force attacks. This control only provides alerts for a set of Azure database offerings. Databases that have been deployed to endpoints within Azure or third-party databases deployed to Azure do not generate alerts for this control.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110.001 Password Guessing
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110.003 Password Spraying
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110.004 Credential Stuffing
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1190 Exploit Public-Facing Application
Comments
This control may alert on usage of faulty SQL statements. This generates an alert for a possible SQL injection by an application. Alerts may not be generated on usage of valid SQL statements by attackers for malicious purposes.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1213 Data from Information Repositories
Comments
This control may alert on extraction of a large amount of data to an unusual location. No documentation is provided on the logic for determining an unusual location.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect partial T1078.004 Cloud Accounts
Comments
This control may alert on logon events that are suspicious. This includes logins from unusual locations, logins from suspicious IP addresses, and users that do not commonly access the resource. These alerts may limit the ability of an attacker to utilize a valid cloud account to access and manipulate Azure databases.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1040 Network Sniffing
Comments
This control's recommendations related to enforcing the usage of the secure versions of the HTTP and FTP protocols (HTTPS and FTPS) can lead to encrypting traffic which reduces the ability for an adversary to gather sensitive data via network sniffing. This also applies to the "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", "Enforce SSL connection should be enabled for MySQL database servers", "Enforce SSL connection should be enabled for PostgreSQL database servers", "Only secure connections to your Redis Cache should be enabled" and "Secure transfer to storage accounts should be enabled" recommendations for their respective protocols. The "Usage of host networking and ports should be restricted" recommendation for Kubernetes clusters can also lead to mitigating this technique. These recommendations are limited to specific technologies on the platform and therefore its coverage score is Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1053 Scheduled Task/Job
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a few of the sub-techniques of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1053.003 Cron
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1053.006 Systemd Timers
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1078 Valid Accounts
Comments
This control's recommendations about removing deprecated and external accounts with sensitive permissions from your subscription can lead to mitigating the Cloud Accounts sub-technique of this technique. Because this is a recommendation and has low coverage, it is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1078.004 Cloud Accounts
Comments
This control's "Deprecated accounts should be removed from your subscription" and "Deprecated accounts with owner permissions should be removed from your subscription" recommendation can lead to removing accounts that should not be utilized from your subscriptions thereby denying adversaries the usage of these accounts to find ways to access your data without being noticed. Likewise, the recommendations related to External account permissions can also mitigate this sub-technique. Because these are recommendations and only limited to deprecated and external accounts, this is scored as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1098 Account Manipulation
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can prevent modifying the ssh_authorized keys file. Because it is a recommendation and limited to only one sub-technique, its score is Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1098.004 SSH Authorized Keys
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of a Kubernetes container's file system which can mitigate this technique. Because this recommendation is specific to Kubernetes containers, its score is Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1110 Brute Force
Comments
This control's "Authentication to Linux machines should require SSH keys" recommendation can lead to obviating SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1110.001 Password Guessing
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1110.003 Password Spraying
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1110.004 Credential Stuffing
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1136 Create Account
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1190 Exploit Public-Facing Application
Comments
This control's CORS related recommendations can help lead to hardened web applications. This can reduce the likelihood of an application being exploited to reveal sensitive data that can lead to the compromise of an environment. Likewise this control's recommendations related to keeping Java/PHP up to date for API/Function/Web apps can lead to hardening the public facing content that uses these runtimes. This control's recommendations related to disabling Public network access for Azure databases can lead to reducing the exposure of resources to the public Internet and thereby reduce the attack surface. These recommendations are limited to specific technologies (Java, PHP and CORS, SQL DBs) and therefore provide Minimal coverage leading to a Minimal score.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1222 File and Directory Permissions Modification
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1222.002 Linux and Mac File and Directory Permissions Modification
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the modification of the file system permissions in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1499 Endpoint Denial of Service
Comments
This control provides recommendations for limiting the CPU and memory resources consumed by a container to minimize resource exhaustion attacks. Because this control only covers one sub-technique of this technique, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1505 Server Software Component
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1505.003 Web Shell
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modifications to the file system in Kubernetes containers which can mitigate adversaries installing web shells. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1543 Create or Modify System Process
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1543.002 Systemd Service
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of systemd service files in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1546 Event Triggered Execution
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1546.004 Unix Shell Configuration Modification
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of the file system in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1556 Modify Authentication Process
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-techniques of this technique. Due to it being a recommendation and providing minimal coverage, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1556.003 Pluggable Authentication Modules
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing this sub-technique which often modifies Pluggable Authentication Modules (PAM) components in the file system. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1564 Hide Artifacts
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate some of the sub-techniques of this technique. Due to its partial coverage and Minimal score assessed for its sub-techniques, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1564.001 Hidden Files and Directories
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1564.005 Hidden File System
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1564.006 Run Virtual Instance
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1565 Data Manipulation
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation and mitigating only one sub-technique, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1068 Exploitation for Privilege Escalation
Comments
This control's "Container with privilege escalation should be avoided", "Least privileged Linux capabilities should be enforced for containers", "Privileged containers should be avoided", "Running containers as root user should be avoided" and "Containers sharing sensitive host namespaces should be avoided" recommendations can make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities. Because this is a recommendation, the assessed score has been capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1074 Data Staged
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1074.001 Local Data Staging
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1080 Taint Shared Content
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" and "Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers" recommendations can mitigate this technique. Due to it being a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1133 External Remote Services
Comments
This control's "Management ports should be closed on your virtual machines" recommendation can lead to reducing the attack surface of your Azure VMs by recommending closing management ports. Because this is a recommendation, its score is limited to Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1136.001 Local Account
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing system files from being modified in Kubernetes containers thereby mitigating this sub-technique since adding an account (on Linux) requires modifying system files. Because this is a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1485 Data Destruction
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1486 Data Encrypted for Impact
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1499.001 OS Exhaustion Flood
Comments
This control's "Container CPU and memory limits should be enforced" recommendation can lead to preventing resource exhaustion attacks by recommending enforcing limits for containers to ensure the runtime prevents the container from using more than the configured resource limit. Because this is a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1525 Implant Internal Image
Comments
This control's "Container images should be deployed from trusted registries only", "Container registries should not allow unrestricted network access" and "Container registries should use private link" recommendations can lead to ensuring that container images are only loaded from trusted registries thereby mitigating this technique.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1542 Pre-OS Boot
Comments
This control provides recommendations for enabling Secure Boot of Linux VMs that can mitigate a few of the sub-techniques of this technique. Because this is a recommendation and only limited to a few sub-techniques of this technique, its assessed score is Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1542.001 System Firmware
Comments
This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1542.003 Bootkit
Comments
This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1554 Compromise Host Software Binary
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of binaries in Kubernetes containers thereby mitigating this technique. Because this is a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1562.010 Downgrade Attack
Comments
This control may prevent downgrade attacks by enforcing use of HTTPS protocol.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1565.001 Stored Data Manipulation
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Likewise this control's recommendations related to using customer-managed keys to encrypt data at rest and enabling transparent data encryption for SQL databases can mitigate this sub-technique by reducing an adversary's ability to perform tailored data modifications. Due to it being a recommendation, its score is capped at Partial.
References
ai_threat_protection Microsoft Defender for Cloud: AI Threat Protection detect partial T1090.003 Multi-hop Proxy
Comments
This capability can detect (alert: AI.Azure_AccessFromAnonymizedIP) when an AI is accessed from a Tor network IP.
References
ai_threat_protection Microsoft Defender for Cloud: AI Threat Protection detect partial T1491 Defacement
Comments
This capability can alert (using AI.Azure_MaliciousUrl.ModelResponse) when an AI model has shared a malicious URL with a user.
References
ai_threat_protection Microsoft Defender for Cloud: AI Threat Protection detect partial T1552 Unsecured Credentials
Comments
This control provides detection of unsecured credentials being divulged by AI model responses.
References
ai_threat_protection Microsoft Defender for Cloud: AI Threat Protection detect significant T1496.004 Cloud Service Hijacking
Comments
This capability has multiple alerts (AI.Azure_DOWDuplicateRequests, AI.Azure_DOWVolumeAnomaly) that can detect abuse of an AI for financial impact on an organization.
References
alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB detect minimal T1078 Valid Accounts
Comments
This control's detection is specific to the Cosmos DB and therefore provides minimal overall detection coverage for Valid Accounts resulting in a Minimal score. A relevant alert is "Access from an unusual location to a Cosmos DB account".
References
alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB detect minimal T1078.004 Cloud Accounts
Comments
This control triggers an alert when there is a change in the access pattern to an Azure Cosmos account based on access from an unusual geographical location. False positives are fairly likely and misuse from a typical location is not covered, so score is Minimal. Relevant alert is "Access from an unusual location to a Cosmos DB account"
References
alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB detect minimal T1213 Data from Information Repositories
Comments
This control triggers an alert when an unusually large amount of data is extracted from/by an account compared to recent activity. False positives are fairly likely and extraction in quantities below the control's threshold is not detected, so score is Minimal. Neither of the sub-techniques are relevant in this context, since they are repository-specific. Relevant alert is "Unusual amount of data extracted from a Cosmos DB account"
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect minimal T1071 Application Layer Protocol
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on block list.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect minimal T1071.001 Web Protocols
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect minimal T1071.002 File Transfer Protocols
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect minimal T1071.003 Mail Protocols
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect minimal T1071.004 DNS
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect partial T1071.005 Publish/Subscribe Protocols
Comments
This control can identify connections to known malicious sites.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect partial T1133 External Remote Services
Comments
This control can potentially identify malicious use of remote services via alerts such as "Suspicious incoming RDP network activity" and "Suspicious Incoming SSH network activity".
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect significant T1110 Brute Force
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline. It provides significant detection from most of this technique's sub-techniques and procedure examples resulting in an overall score of Significant.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect significant T1110.001 Password Guessing
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect significant T1110.003 Password Spraying
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect significant T1110.004 Credential Stuffing
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
References
alerts_for_dns Alerts for DNS detect minimal T1048 Exfiltration Over Alternative Protocol
Comments
Can detect anomalous use of DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
alerts_for_dns Alerts for DNS detect minimal T1071 Application Layer Protocol
Comments
Can detect potential DNS protocol misuse/anomalies. Technique coverage is restricted to DNS and therefore results in a Minimal score.
References
alerts_for_dns Alerts for DNS detect minimal T1090 Proxy
Comments
Can detect DNS activity to anonymity networks e.g. TOR. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
alerts_for_dns Alerts for DNS detect minimal T1572 Protocol Tunneling
Comments
Can identify protocol misuse/anomalies in DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
alerts_for_dns Alerts for DNS detect partial T1568 Dynamic Resolution
Comments
Can identify "random" DNS occurences which can be associated with domain generation algorithm or Fast Flux sub-techniques. Partial for coverage and accuracy (potential for false positive/benign).
References
alerts_for_dns Alerts for DNS detect partial T1568.001 Fast Flux DNS
Comments
Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
References
alerts_for_dns Alerts for DNS detect partial T1568.002 Domain Generation Algorithms
Comments
Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
References
alerts_for_dns Alerts for DNS detect significant T1071.004 DNS
Comments
Can alert on anomalies and misuse of the DNS protocol.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1021 Remote Services
Comments
This control is only relevant for Linux environments. Among the sub-techinques that are relevant for Linux, this control may only alert on SSH.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1027 Obfuscated Files or Information
Comments
This control only provides detection coverage for the Compile After Delivery sub-technique while not providing detection for all other sub-techniques relevant to the Linux platform or most of its procedure examples. As a result of this minimal coverage, the overall score is assessed as Minimal.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1027.004 Compile After Delivery
Comments
This control may alert on suspicious compilation. No documentation is provided on the logic for determining a suspicious compilation event.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1059 Command and Scripting Interpreter
Comments
This control may alert on suspicious Unix shell and PHP execution. Mismatched script extensions may also generate alerts of suspicious activity. Only one of the technique's sub-techniques is covered, resulting in a score of Minimal.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1068 Exploitation for Privilege Escalation
Comments
This control may alert on suspicious arguments used to exploit Xorg vulnerabilities for privilege escalation.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1098 Account Manipulation
Comments
This control provides partial detection for only one of this technique's sub-techniques and does not cover most of its procedure examples, resulting in a score of Minimal.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1136 Create Account
Comments
This control is only relevant for Linux endpoints, and it provides partial coverage for the only sub-technique relevant on Linux endpoints, Local Account.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1505 Server Software Component
Comments
This control provides coverage for the only sub-technique this control is relevant for, Web Shell, but that coverage is Minimal.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1505.003 Web Shell
Comments
This control may alert on usage of web shells. No documentation is provided on logic for this detection.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1547 Boot or Logon Autostart Execution
Comments
This control is only relevant for Linux endpoint machines and the only sub-technique relevant for Linux is Kernel Modules and Extensions.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1562 Impair Defenses
Comments
This control only provides coverage for a miniority of the sub-techniques under this technique and provides no coverage for other relevant sub-techniques, such as Impair Command History Logging or Disable or Modify Tools, resulting in a score of Minimal.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1562.006 Indicator Blocking
Comments
This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1564 Hide Artifacts
Comments
This control only provides coverage for a minority of this technique's relevant sub-techniques, resulting in a score of Minimal.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1564.001 Hidden Files and Directories
Comments
This control may alert on the execution of hidden files. Since this control is only triggered on execution, it may not fire on a variety of hidden files or directories that are being utilized for malicious purposes.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1003 OS Credential Dumping
Comments
This control is only relevant for Linux environments, and provides partial coverage for one of the technique's two Linux-relevant sub-techniques.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1003.008 /etc/passwd and /etc/shadow
Comments
This control may alert on suspicious access to encrypted user passwords. The documentation does not reference "/etc/passwd" and "/etc/shadow" directly nor does it describe the logic in determining suspicious access.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1021.004 SSH
Comments
This control may alerts on SSH brute force attempts, addition of new SSH keys, and usage of a SSH server within a container. Alerts may not be generated by usage of existing SSH keys by malicious actors for lateral movement.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1021.007 Cloud Services
Comments
This control can detect abuse of remote services.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1021.008 Direct Cloud VM Connections
Comments
This control can detect direct cloud VM connections.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1027.008 Stripped Payloads
Comments
This control can detect stripped payloads.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1027.009 Embedded Payloads
Comments
This control can detect embedded payloads.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1027.010 Command Obfuscation
Comments
This control can detect command obsfucation attacks.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1027.013 Encrypted/Encoded File
Comments
This control can detect obsfucation via encrypted/encoded files.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1027.014 Polymorphic Code
Comments
This control can detect obsfucation via polymorphic code.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1036.008 Masquerade File Type
Comments
This control can detect if files are created or edited where the header and extension do not match.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1059.004 Unix Shell
Comments
This control may alert on suspicious commandline activity. Alerts may be generated on possible detection of shellcode usage on the commandline, based on arguments, location, user, etc.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1070 Indicator Removal
Comments
This control is only relevant for Linux environments and provides partial coverage for multiple Linux-relevant sub-techniques.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1070.002 Clear Linux or Mac System Logs
Comments
This control may alert on possible log tampering activity, including deletion of logs. No documentation is provided on which log sources are targeted by this control.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1070.003 Clear Command History
Comments
This control may alert on clearing of the command history file. Documentation is not provided on the logic for detecting when the command history is cleared but on Linux machines the location of the history file tends not to change from the default.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1098.004 SSH Authorized Keys
Comments
This control may alert on addition of new SSH keys to the authorized key file and unusual process access of the authorized key file.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1110 Brute Force
Comments
This control provides partial coverage for most of this technique's sub-techniques and procedures.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1110.001 Password Guessing
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1110.003 Password Spraying
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1110.004 Credential Stuffing
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1113 Screen Capture
Comments
This control may alert on usage of a screenshot tool. Documentation is not provided on the logic for determining a screenshot tool.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1136.001 Local Account
Comments
This control may alert on usage of the useradd command to create new users and the creation of local user accounts with suspicious similarity to other account names.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1525 Implant Internal Image
Comments
This control may alert on suspicious container images running mining software or SSH servers. Privileged Docker containers and privileged commands running within containers may also be detected. These alerts are only generated on containers in Linux endpoint machines and not for containers running from Azure Docker deployment.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1547.006 Kernel Modules and Extensions
Comments
This control may alert on a suspicious shared object file being loaded as a kernel module. No documentation is provided on the logic but kernel module loading is a relatively rare event and can only be done with a small set of commands.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1547.013 XDG Autostart Entries
Comments
This control can detect command execution associated with xdg modification.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1555.002 Securityd Memory
Comments
This control can detect command execution associated with this technique.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1555.003 Credentials from Web Browsers
Comments
This control can detect command execution associated with this technique.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1555.005 Password Managers
Comments
This control can detect command execution associated with this technique.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1562.004 Disable or Modify System Firewall
Comments
This control may alert on manipulation of the on-host firewall. Firewall rules should not be changed often in a standard environment and such an event can provide a high fidelity alert.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1562.012 Disable or Modify Linux Audit System
Comments
This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1564.006 Run Virtual Instance
Comments
This control may alert on containers using privileged commands, running SSH servers, or running mining software.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1003 OS Credential Dumping
Comments
This control provides detection for a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal. Furthermore, its detection capability relies on detecting the usage of specific tools (e.g. sqldumper.exe) further adversely impacting its score.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1003.004 LSA Secrets
Comments
This control may detect when the registry is modified to allow logon credentials to be stored in clear text in LSA memory. This change allows a threat actor to gain plain text credentials from the host machine. The following alerts may be generated: "Detected enabling of the WDigest UseLogonCredential registry key".
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1027 Obfuscated Files or Information
Comments
This control may detect usage of VBScript.Encode and base-64 encoding to obfuscate malicious commands and scripts. The following alerts may be generated: "Detected suspicious execution of VBScript.Encode command", "Detected encoded executable in command line data".
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1048 Exfiltration Over Alternative Protocol
Comments
This control's detection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Comments
This control may detect suspicious use of the Telegram tool for transferring malicious binaries across hosts. The following alerts may be generated: "Detected potentially suspicious use of Telegram tool".
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1059 Command and Scripting Interpreter
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1070 Indicator Removal
Comments
This control's detection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1082 System Information Discovery
Comments
This control may detect local reconnaissance activity specific to using the systeminfo commands. The following alerts may be generated: "Detected possible local reconnaissance activity".
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1136 Create Account
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1202 Indirect Command Execution
Comments
This control may detect suspicious use of Pcalua.exe to launch executable code. There are other methods of indirect command execution that this control may not detect. The following alerts may be generated: "Detected suspicious use of Pcalua.exe to launch executable code".
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1218 System Binary Proxy Execution
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1222 File and Directory Permissions Modification
Comments
This control provides minimal detection for some of this technique's sub-techniques resulting in an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1222.001 Windows File and Directory Permissions Modification
Comments
This control may detect the usage of cacls.exe to modify file and directory permissions. The following alerts may be generated: "Detected suspicious use of Cacls to lower the security state of the system".
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1489 Service Stop
Comments
This control may detect when critical services have been disabled through the usage of specifically net.exe. The following alerts may be generated: "Detected the disabling of critical services".
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1543 Create or Modify System Process
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1546 Event Triggered Execution
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1547 Boot or Logon Autostart Execution
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1548 Abuse Elevation Control Mechanism
Comments
The only sub-technique scored (Bypass User Account Control) is the only one relevant to Windows.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1548.002 Bypass User Account Control
Comments
This control may detect when User Account Control is bypassed by manipulating the Windows registry. There may be other methods to Bypass User Account Control which limits the score to Minimal. The following alerts may be generated: "Detected change to a registry key that can be abused to bypass UAC"
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1558 Steal or Forge Kerberos Tickets
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1562 Impair Defenses
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1564 Hide Artifacts
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1027.008 Stripped Payloads
alerts_for_windows_machines Alerts for Windows Machines detect partial T1027.009 Embedded Payloads
alerts_for_windows_machines Alerts for Windows Machines detect partial T1027.010 Command Obfuscation
alerts_for_windows_machines Alerts for Windows Machines detect partial T1027.013 Encrypted/Encoded File
alerts_for_windows_machines Alerts for Windows Machines detect partial T1027.014 Polymorphic Code
alerts_for_windows_machines Alerts for Windows Machines detect partial T1036.008 Masquerade File Type
Comments
This control can detect if commands are executed that are otherwise non-executable file types.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1053.007 Container Orchestration Job
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055 Process Injection
Comments
This control's Fileless Attack Detection covers all relevant sub-techniques. Detection is periodic at an unknown rate.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.001 Dynamic-link Library Injection
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.002 Portable Executable Injection
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.003 Thread Execution Hijacking
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.004 Asynchronous Procedure Call
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.005 Thread Local Storage
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.011 Extra Window Memory Injection
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.012 Process Hollowing
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.013 Process Doppelgänging
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1059.009 Cloud API
alerts_for_windows_machines Alerts for Windows Machines detect partial T1059.010 AutoHotKey & AutoIT
alerts_for_windows_machines Alerts for Windows Machines detect partial T1059.011 Lua
alerts_for_windows_machines Alerts for Windows Machines detect partial T1068 Exploitation for Privilege Escalation
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1070.001 Clear Windows Event Logs
Comments
This control may detect when an event log has been cleared or IIS logs have been deleted. The following alerts may be generated: "Detected actions indicative of disabling and deleting IIS log files", "An event log was cleared".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1070.004 File Deletion
Comments
This control may detect suspicious file cleanup commands and shadow copy deletion activity. The following alerts may be generated: "Detected suspicious file cleanup commands", "Suspicious Volume Shadow Copy Activity".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1070.007 Clear Network Connection History and Configurations
alerts_for_windows_machines Alerts for Windows Machines detect partial T1070.008 Clear Mailbox Data
alerts_for_windows_machines Alerts for Windows Machines detect partial T1070.009 Clear Persistence
alerts_for_windows_machines Alerts for Windows Machines detect partial T1078 Valid Accounts
Comments
This control is able to detect some of this technique's sub-techniques resulting in a Partial Coverage score and consequently an overall score of Partial.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1078.001 Default Accounts
Comments
This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1078.003 Local Accounts
Comments
This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1087 Account Discovery
Comments
This control provides partial detection for some of this technique's sub-techniques and procedure examples resulting in a Partial Coverage score and consequently an overall score of Partial.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1087.001 Local Account
Comments
This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: "Multiple Domain Accounts Queried", "Local Administrators group members were enumerated".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1087.002 Domain Account
Comments
This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: "Multiple Domain Accounts Queried", "Local Administrators group members were enumerated".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1105 Ingress Tool Transfer
Comments
This control may detect usage of malware droppers and creation of suspicious files on the host machine. The following alerts may be generated: "Detected possible execution of malware dropper", "Detected suspicious file creation".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1110 Brute Force
Comments
This control provides detection for some of this technique's sub-techniques and procedure examples resulting in a Partial Coverage score and consequently an overall score of Partial.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1112 Modify Registry
Comments
This control may detect several methods used to modify the registry for purposes of persistence, privilege elevation, and execution. The following alerts may be generated: "Detected change to a registry key that can be abused to bypass UAC", "Detected enabling of the WDigest UseLogonCredential registry key", "Detected suppression of legal notice displayed to users at logon", "Suspicious WindowPosition registry value detected", "Windows registry persistence method detected".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1134 Access Token Manipulation
Comments
This control can detect when commands associated with this technique are executed, such as runas.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1136.001 Local Account
Comments
This control may detect when an account is created with an account name that closely resembles a standard Windows account or group name. This may be an account created by an attacker to blend into the environment. The following alerts may be generated: "Suspicious Account Creation Detected".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1140 Deobfuscate/Decode Files or Information
Comments
This control may detect decoding of suspicious files by certutil.exe and may detect the presence of various encoding schemes to obfuscate malicious scripts and commandline arguments. The following alerts may be generated: "Suspicious download using Certutil detected", "Suspicious download using Certutil detected [seen multiple times]", "Detected decoding of an executable using built-in certutil.exe tool".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1189 Drive-by Compromise
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1190 Exploit Public-Facing Application
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1203 Exploitation for Client Execution
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1204 User Execution
Comments
This control provides detection for one of the two sub-techniques of this technique, Malicious File, resulting in a Partial Coverage score and consequently an overall score of Partial.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1204.002 Malicious File
Comments
This control may detect the usage of a malware dropper and other indicators of a malicious file being executed by the user. The following alerts may be generated: "Detected possible execution of keygen executable", "Detected possible execution of malware dropper", "Detected suspicious file creation".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1204.003 Malicious Image
Comments
This capability can detect when commands are executed that are associated with this technique.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1210 Exploitation of Remote Services
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1211 Exploitation for Defense Evasion
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1212 Exploitation for Credential Access
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1218.005 Mshta
Comments
This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: "Detected suspicious execution via rundll32.exe", "Detected suspicious combination of HTA and PowerShell".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1218.011 Rundll32
Comments
This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: "Detected suspicious execution via rundll32.exe", "Detected suspicious combination of HTA and PowerShell".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1218.013 Mavinject
Comments
This control may detect usage of the argument INJECTRUNNING which is required for mavinject.exe.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1218.014 MMC
alerts_for_windows_machines Alerts for Windows Machines detect partial T1218.015 Electron Applications
Comments
This control may detect commands invoking teams.exe or chrome.exe and analyze whether they are being used to execute malicious or abnormal content.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1505.004 IIS Components
Comments
This control can detect when commands associated with installing IIS web servers are executed, such as AppCmd.exe.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1505.005 Terminal Services DLL
Comments
This control can detect when commands associated with this technique are executed, such as reg.exe.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1543.003 Windows Service
Comments
This control may detect when the tscon.exe binary is installed as a service to exploit RDP sessions or when a rare service group is executed under SVCHOST. The following alerts may be generated: "Suspect service installation".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1543.005 Container Service
Comments
This control can detect when commands associated with container services are executed, such as docker or podman.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1546.002 Screensaver
Comments
This control may detect when a suspicious screensaver process is executed, based on the location of the .scr file. Because this detection is based solely on the location of the file, it has been scored as Partial. The following alerts may be generated: "Suspicious Screensaver process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1546.008 Accessibility Features
Comments
This control may detect when the binary for the sticky keys utility has been replaced, possibly to gain persistence or execution. The following alerts may be generated: "Sticky keys attack detected".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1547.001 Registry Run Keys / Startup Folder
Comments
This control may detect when the Registry is leveraged to gain persistence. The following alerts may be generated: "Windows registry persistence method detected".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1552.001 Credentials In Files
Comments
This control can detect when commands associated with searching for passwords are executed.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1553.006 Code Signing Policy Modification
Comments
This control can be used to monitor for the execution of commands that could modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1555.003 Credentials from Web Browsers
alerts_for_windows_machines Alerts for Windows Machines detect partial T1555.004 Windows Credential Manager
alerts_for_windows_machines Alerts for Windows Machines detect partial T1555.005 Password Managers
alerts_for_windows_machines Alerts for Windows Machines detect partial T1556.005 Reversible Encryption
Comments
This control can monitor for command execution related to reversible encryption such as -AllowReversiblePasswordEncryption $true.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1558.001 Golden Ticket
Comments
This control may detect commandline parameters consistent with a Kerberos Golden Ticket attack. The following alerts may be generated: "Suspected Kerberos Golden Ticket attack parameters observed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1562.001 Disable or Modify Tools
Comments
This control may detect when critical services have been disabled, such as Windows Security Center. This control may also detect when IIS logging has been disabled. The following alerts may be generated: "Detected the disabling of critical services", "Detected actions indicative of disabling and deleting IIS log files".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1562.004 Disable or Modify System Firewall
Comments
This control may detect modification of the Windows firewall through use of netsh.exe or using a method that matches a known threat actor. The following alerts may be generated: "Malicious firewall rule created by ZINC server implant [seen multiple times]", "Detected suspicious new firewall rule".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1562.009 Safe Mode Boot
Comments
This control may detect executed commands indicative of changes to boot settings such as bcdedit.exe and bootcfg.exe
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1562.010 Downgrade Attack
Comments
This control may detect executed commands indicative of indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2).
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1563 Remote Service Session Hijacking
Comments
This control provides partial detection for some of this technique's sub-techniques resulting in a Partial Coverage score and consequently an overall score of Partial.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1563.002 RDP Hijacking
Comments
This control may detect RDP hijacking through use of the tscon.exe binary. The following alerts may be generated: "Suspect integrity level indicative of RDP hijacking", "Suspect service installation".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1564.003 Hidden Window
Comments
This control may detect usage of the WindowPosition Registry value to hide application windows in non-visible sections of the desktop. The following alerts may be generated: "Suspicious WindowPosition registry value detected".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1564.008 Email Hiding Rules
Comments
This control can detect when commands are run on VMs that can indicate creation or modification of email rules such as New-InboxRule, Set-InboxRule, New-TransportRule, and Set-TransportRule.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1564.009 Resource Forking
alerts_for_windows_machines Alerts for Windows Machines detect partial T1564.011 Ignore Process Interrupts
Comments
This control can detect when commands are run related to process interrupts such as nohup.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1567.004 Exfiltration Over Webhook
alerts_for_windows_machines Alerts for Windows Machines detect partial T1574.013 KernelCallbackTable
Comments
This control can detect windows API calls on VMs indicative of Hijacking Execution Flow via KernelCallBack table such as WriteProcessMemory() and NtQueryInformationProcess().
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1612 Build Image on Host
alerts_for_windows_machines Alerts for Windows Machines detect partial T1614 System Location Discovery
Comments
This capability can detect if commands associated with this technique such as GetLocaleInfoW are executed.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1614.001 System Language Discovery
alerts_for_windows_machines Alerts for Windows Machines detect partial T1622 Debugger Evasion
alerts_for_windows_machines Alerts for Windows Machines detect partial T1652 Device Driver Discovery
alerts_for_windows_machines Alerts for Windows Machines detect partial T1654 Log Enumeration
Comments
This capability can detect if commands associated with log enumeration (such as wevutil.exe on Windows and CollectGuestLogs.exe on Azure hosted VMs) are executed.
References
alerts_for_windows_machines Alerts for Windows Machines detect significant T1059.001 PowerShell
Comments
This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: "Detected anomalous mix of upper and lower case characters in command-line", "Detected encoded executable in command line data", "Detected obfuscated command line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious commandline arguments", "Detected suspicious commandline used to start all executables in a directory", "Detected suspicious credentials in commandline", "Dynamic PS script construction", "Suspicious PowerShell Activity Detected", "Suspicious PowerShell cmdlets executed", "Suspicious command execution".
References
alerts_for_windows_machines Alerts for Windows Machines detect significant T1059.003 Windows Command Shell
Comments
This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: "Detected anomalous mix of upper and lower case characters in command-line", "Detected encoded executable in command line data", "Detected obfuscated command line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious commandline arguments", "Detected suspicious commandline used to start all executables in a directory", "Detected suspicious credentials in commandline", "Dynamic PS script construction", "Suspicious PowerShell Activity Detected", "Suspicious PowerShell cmdlets executed", "Suspicious command execution".
References
alerts_for_windows_machines Alerts for Windows Machines detect significant T1110.001 Password Guessing
Comments
This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".
References
alerts_for_windows_machines Alerts for Windows Machines detect significant T1110.003 Password Spraying
Comments
This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".
References
alerts_for_windows_machines Alerts for Windows Machines detect significant T1110.004 Credential Stuffing
Comments
This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".
References
azure_backup Azure Backup respond partial T1561.002 Disk Structure Wipe
Comments
Allows for recovery of disk content, though Disk structure wipes require additional procedures for recovery.
References
azure_backup Azure Backup respond significant T1485 Data Destruction
Comments
Data backups provide a significant response to data destruction by enabling the restoration of data from backup.
References
azure_backup Azure Backup respond significant T1485.001 Lifecycle-Triggered Deletion
Comments
Data backups provide a significant response to data destruction by enabling the restoration of data from backup.
References
azure_backup Azure Backup respond significant T1486 Data Encrypted for Impact
Comments
Data backups provide a significant response to data encryption/ransomware by enabling the restoration of data from backup.
References
azure_backup Azure Backup respond significant T1491 Defacement
Comments
Data backups provide a significant response to data defacement attacks by enabling the restoration of data from backup.
References
azure_backup Azure Backup respond significant T1491.001 Internal Defacement
Comments
Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.
References
azure_backup Azure Backup respond significant T1491.002 External Defacement
Comments
Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.
References
azure_backup Azure Backup respond significant T1561 Disk Wipe
Comments
Data backups provide a significant response to disk wipe attacks by enabling the restoration of data from backup.
References
azure_backup Azure Backup respond significant T1561.001 Disk Content Wipe
Comments
Data backups provide a significant response to disk content wipe attacks by enabling the restoration of data from backup.
References
azure_ddos_protection Azure DDoS Protection protect significant T1498 Network Denial of Service
Comments
Designed to address multiple DDOS techniques including volumetric attacks.
References
azure_ddos_protection Azure DDoS Protection protect significant T1498.001 Direct Network Flood
Comments
This control can protect against network denial of service attacks.
References
azure_ddos_protection Azure DDoS Protection protect significant T1498.002 Reflection Amplification
Comments
This control can protect against network denial of service attacks.
References
azure_ddos_protection Azure DDoS Protection protect significant T1499 Endpoint Denial of Service
Comments
Protects against volumetric and protocol DOS, though not application.
References
azure_ddos_protection Azure DDoS Protection protect significant T1499.001 OS Exhaustion Flood
Comments
This control can protect against endpoint denial of service attacks.
References
azure_ddos_protection Azure DDoS Protection protect significant T1499.002 Service Exhaustion Flood
Comments
This control can protect against endpoint denial of service attacks.
References
azure_ddos_protection Azure DDoS Protection protect significant T1499.003 Application Exhaustion Flood
Comments
This control can protect against endpoint denial of service attacks.
References
azure_dedicated_hsm Azure Dedicated HSM protect minimal T1552 Unsecured Credentials
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
azure_dedicated_hsm Azure Dedicated HSM protect partial T1553 Subvert Trust Controls
Comments
Provides protection against sub-techniques involved with stealing credentials / certificates / keys from the organization.
References
azure_dedicated_hsm Azure Dedicated HSM protect partial T1553.002 Code Signing
Comments
Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.
References
azure_dedicated_hsm Azure Dedicated HSM protect partial T1553.004 Install Root Certificate
Comments
Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.
References
azure_dedicated_hsm Azure Dedicated HSM protect partial T1588 Obtain Capabilities
Comments
Provides protection against sub-techniques involved with stealing credentials / certificates / keys from the organization.
References