Microsoft Azure is a widely used cloud computing platform provided by Microsoft. Azure offers a range of security capabilities to protect cloud data, applications, and infrastructure from threats. These mappings connect Azure security capabilities to adversary behaviors in MITRE ATT&CK®, providing Azure users with a comprehensive view of how native Azure security capabilities can be used to prevent, detect, and respond to prevalent cloud threats. As a result, Azure users can evaluate the effectiveness of native security controls against specific ATT&CK techniques and take a threat-informed approach to understand, prioritize, and mitigate adversary behaviors that are most important for their environment.
Azure Versions: 04.26.2025, 06.29.2021 ATT&CK Versions: 16.1, 8.2 ATT&CK Domain: Enterprise
This is a very large mapping. To reduce the size, we have only downloaded the first 550 of 972 mappings. Load all data (2.0 MB)
Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|---|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1036 | Masquerading |
Comments
This control provides minimal to partial coverage of a minority of this technique's sub-techniques and a minority of its procedure examples, resulting in an overall score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1003 | OS Credential Dumping |
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1003.001 | LSASS Memory |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which contains an implementation of Mimikatz to gather credentials from memory, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1016 | System Network Configuration Discovery |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can acquire network configuration information including DNS servers and network proxies used by a host, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1016.001 | Internet Connection Discovery |
Comments
Microsoft Sentinel's ability to detect entities scanning the network configuration also covers the scanning of internet connections, providing a detection mechanism against this technique.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1018 | Remote System Discovery |
Comments
The Microsoft Sentinel Hunting "High reverse DNS count by host" and "Squid malformed requests" queries can indicate potentially malicious reconnaissance aimed at detecting network layout and the presence of network security devices.
The Microsoft Sentinel Analytics "Several deny actions registered" query can identify patterns in Azure Firewall incidents, potentially indicating that an adversary is scanning resources on the network, at a default frequency of once per hour. Note that detection only occurs if the firewall prevents the scanning. The Microsoft Sentinel Analytics "Rare client observed with high reverse DNS lookup count" query can detect when a particular IP address performs an unusually high number of reverse DNS lookups and has not been observed doing so previously. The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1021 | Remote Services |
Comments
This control provides minimal to partial coverage for some of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1021.001 | Remote Desktop Protocol |
Comments
The Microsoft Sentinel Hunting "anomalous RDP Activity" query can detect potential lateral
movement employing RDP.
The following Microsoft Sentinel Analytics queries can identify potentially malicious use
of RDP:
"Anomalous RDP Login Detections", "Multiple RDP connections from Single Systems",
"Rare RDP Connections", and "RDP Nesting".
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1021.002 | SMB/Windows Admin Shares |
Comments
The Microsoft Sentinel Hunting "Anomalous Resource Access" query can identify potential lateral movement via use of valid accounts to access network shares (Windows Event 4624:3).
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1021.003 | Distributed Component Object Model |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can utilize Invoke-DCOM to leverage remote COM execution for lateral movement, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1021.004 | SSH |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which contains modules for executing commands over SSH as well as in-memory VNC agent injection, but does not address other procedures. Microsoft Sentinel Analytics also provides a "New internet-exposed SSH endpoints" query.
The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1027 | Obfuscated Files or Information |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can obfuscate commands using Invoke-Obfuscation, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1036.004 | Masquerade Task or Service |
Comments
The Microsoft Sentinel Hunting "Exes with double file extension and access summary" can identify malicious executable files that have been hidden as other file types.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1036.005 | Match Legitimate Name or Location |
Comments
The Microsoft Sentinel Hunting "Masquerading Files" and "Rare Process Path" queries can detect an adversary attempting to make malicious activity blend in with legitimate commands and files. The Microsoft Sentinel Hunting "Azure DevOps Display Name Changes" query can detect potentially maliicous changes to the DevOps user display name.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1040 | Network Sniffing |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can be used to conduct packet capture on target hosts, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1041 | Exfiltration Over C2 Channel |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can send data gathered from a target through a command and control channel, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1046 | Network Service Discovery |
Comments
The Microsoft Sentinel Analytics "High count of connections by client IP on many ports" query can detect when a given client IP has 30 or more ports used within a 10 minute window, which may indicate malicious scanning. The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect scanning via Empire, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1047 | Windows Management Instrumentation |
Comments
The Microsoft Sentinel Analytics "Gain Code Execution on ADFS Server via Remote WMI Execution" query can detect use of Windows Managemement Instrumentation on ADFS servers. The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect WMI use via Empire, but does not address other procedures.
The coverage for these queries is minimal (specific to ADFS and Empire) resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control provides minimal coverage for a minority of this technique's sub-techniques and does not cover all procedure examples, resulting in an overall score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
The following Microsoft Sentinel Hunting queries can identify potential exfiltration: "Abnormally long DNS URI queries" can identify potential exfiltration via DNS. "Multiple users email forwarded to same destination" and "Office Mail Forwarding - Hunting Version" can detect potential exfiltration via email.
The Microsoft Sentinel Analytics "Multiple users email forwarded to same destination" query can detect potential exfiltration via email. The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1049 | System Network Connections Discovery |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate the current network connections of a host, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1053 | Scheduled Task/Job |
Comments
This control provides minimal to partial coverage of a minority of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1053.003 | Cron |
Comments
The Microsoft Sentinel Hunting "Editing Linux scheduled tasks through Crontab" query can detect potentially malicious modification of cron jobs.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1053.005 | Scheduled Task |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can interact with the Windows task scheduler, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1055 | Process Injection |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which contains multiple modules for injecting into processes, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1056 | Input Capture |
Comments
This control can identify two of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1056.001 | Keylogging |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes keylogging capabilities for both Windows and Linux and contains modules that leverage API hooking to carry out tasks, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1056.004 | Credential API Hooking |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes keylogging capabilities for both Windows and Linux and contains modules that leverage API hooking to carry out tasks, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1057 | Process Discovery |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can find information about processes running on local and remote systems, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1059 | Command and Scripting Interpreter |
Comments
This control provides minimal coverage for most of this technique's sub-techniques, along with additional mappings for its procedure examples, resulting in an overall score of Minimal.
The following Microsoft Sentinel Hunting queries can identify potentially malicious use of command and scripting interpreters that does not map directly to one/more sub-techniques: "Anomalous Code Execution" can identifyanomalous runCommand operations on virtual machines, "Azure CloudShell Usage" can identify potentially malicious use of CloudShell, "New processes observed in last 24 hours", "Rare processes run by Service accounts", and "Rare Custom Script Extension" can identify execution outliers that may suggest misuse.
The following Microsoft Sentinel Analytics queries can identify potentially malicious use of command and scripting interpreters that does not map directly to one/more sub-techniques: "New CloudShell User" can identify potentially malicious use of CloudShell, "Rare and Potentially high-risk Office operations" can identify specific rare mailbox-related ccount and permission changes via execution.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1059.001 | PowerShell |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which leverages PowerShell for the majority of its client-side agent tasks and can conduct PowerShell remoting. The coverage for these queries is minimal (specific to Empire) resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1059.003 | Windows Command Shell |
Comments
The Microsoft Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Microsoft Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious.
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which has modules for executing Windows Command Shell scripts. The Microsoft Sentinel Analytics "Base64 encoded Windows process command-lines" query can identify Base64 encoded PE files being launched via the command line.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1059.004 | Unix Shell |
Comments
The Microsoft Sentinel Hunting "Rare process running on a Linux host" query can identify uncommon shell usage that may be malicious.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1059.005 | Visual Basic |
Comments
The Microsoft Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Microsoft Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1059.006 | Python |
Comments
The Microsoft Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Microsoft Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1059.007 | JavaScript |
Comments
The Microsoft Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Microsoft Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1068 | Exploitation for Privilege Escalation |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can exploit known system vulnerabilities, but does not explicitly address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1069 | Permission Groups Discovery |
Comments
This control provides minimal coverage for one of this technique's sub-techniques and only minimal coverage for its procedure examples, resulting in an overall score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1069.001 | Local Groups |
Comments
The Microsoft Sentinel Hunting "Enumeration of users and groups" query can identify potentially malicious group discovery through the use of the net tool.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1069.002 | Domain Groups |
Comments
The Microsoft Sentinel Hunting "Enumeration of users and groups" query can identify potentially malicious group discovery through the use of the net tool.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1070 | Indicator Removal |
Comments
This control provides specific minimal coverage for two of this technique's sub-techniques, without additional coverage of its procedure examples, resulting in an overall score of Minimal.
The Microsoft Sentinel Analytics "Azure DevOps Agent Pool Created Then Deleted" query can detect specific suspicious activity for DevOps Agent Pool. This is close to this technique's File Deletion sub-technique, but not a complete match.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1070.001 | Clear Windows Event Logs |
Comments
The Microsoft Sentinel Hunting "Security Event Log Cleared" query can detect clearing of the security event logs, though not necessarily clearing of any arbitrary Windows event logs.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1070.006 | Timestomp |
Comments
The Microsoft Sentinel Hunting "Windows System Time changed on hosts" query can detect potential timestomping activities.
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which can timestomp files and/or payloads on a target machine to help them blend in.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1071 | Application Layer Protocol |
Comments
The Microsoft Sentinel Analytics "Malformed user agent" query can detect potential C2 or C2 agent activity.
This control provides minimal to partial coverage for a minority of this technique's sub-techniques and only some of its procedure examples, resulting in an overall score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1071.001 | Web Protocols |
Comments
The following Microsoft Sentinel Analytics queries can identify potentially malicious use of web protocols: "Powershell Empire cmdlets seen in command line" can identify use of Empire, which can perform command and control over protocols like HTTP and HTTPS. "Request for single resource on domain" can identify patterns that suggest possible command and control beaconing. The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1071.004 | DNS |
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious use of DNS: "RareDNSLookupWithDataTransfer" [sic] can identify data transfer over DNS, though it is contingent on DNS traffic meeting the requirements to be considered rare. "Abnormally Long DNS URI queries" can identify suspicious DNS queries that may be indicative of command and control operations. "DNS - domain anomalous lookup increase", "DNS Full Name anomalous lookup increase", and "DNS lookups for commonly abused TLDs" can identify increases in domain lookups for a client IP and indicate malicious traffic or exfiltration of sensitive data.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1074 | Data Staged | |
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1074.001 | Local Data Staging |
Comments
The Microsoft Sentinel Analytics "Malware in the recycle bin" query can detect local hidden malware.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1078 | Valid Accounts |
Comments
This control provides partial coverage for all of this technique's sub-techniques and a number of its procedures, resulting in an overall score of Partial.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1078.001 | Default Accounts |
Comments
The Microsoft Sentinel Hunting "Rare processes run by Service accounts" query can identify potential misuse of default accounts. Because this detection is specific to rare processes its coverage score is Minimal resulting in a Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1078.002 | Domain Accounts |
Comments
The following Microsoft Sentinel Hunting queries can identify potential compromise of domain accounts based on access attempts and/or account usage: "Suspicious Windows Login outside normal hours", "User account added or removed from security group by an unauthorized user", "User Account added to Built in Domain Local or Global Group", "User Login IP Address Teleportation", "User made Owner of multiple teams", "Tracking Privileged Account Rare Activity", "New Admin account activity which was not seen historically", "New client running queries", "New users running queries", "Non-owner mailbox login activity", "Powershell or non-browser mailbox login activity", "Rare User Agent strings", "Same IP address with multiple csUserAgent" which may indicate that an account is being used from a new device, "Rare domains seen in Cloud Logs" when accounts from uncommon domains access or attempt to access cloud resources, "Same User - Successful logon for a given App and failure on another App within 1m and low distribution", "Hosts with new logons", "Inactive or new account signins", "Long lookback User Account Created and Deleted within 10mins", "Anomalous Geo Location Logon", and "Anomalous Sign-in Activity".
The following Microsoft Sentinel Analytics queries can identify potential compromise of domain accounts based on access attempts and/or account usage: "Anomalous User Agent connection attempt", "New UserAgent observed in last 24 hours" which may indicate that an account is being used from a new device, "Anomalous sign-in location by user account and authenticating application", "Anomalous login followed by Teams action", "GitHub Signin Burst from Multiple Locations", "Sign-ins from IPs that attempt sign-ins to disabled accounts", "Failed Host logons but success logon to AzureAD", and "Anomalous RDP Login Detections".
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1078.003 | Local Accounts |
Comments
The following Microsoft Sentinel Hunting queries can identify potential compromise of local accounts based on access attempts and/or account usage: "Suspicious Windows Login outside normal hours", "User Login IP Address Teleportation", "User account added or removed from a security group by an unauthorized user", "User Account added to Built in Domain Local or Global Group", "User added to SQL Server SecurityAdmin Group", "User Role altered on SQL Server", "User made Owner of multiple teams", "Tracking Privileged Account Rare Activity", and "Anomalous Login to Devices".
The following Microsoft Sentinel Analytics queries can identify potential compromise of local accounts based on access attempts and/or account usage: "User account enabled and disabled within 10 mins", "Long lookback User Account Created and Deleted within 10mins", "Explicit MFA Deny", "Hosts with new logons", "Inactive or new account signins", "Anomalous SSH Login Detection", and "Anomalous RDP Login Detections".
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1078.004 | Cloud Accounts |
Comments
The following Microsoft Sentinel Hunting queries can identify potential compromise of cloud accounts: "New Admin account activity which was not seen historically", "New client running queries", "New users running queries", "User returning more data than daily average", "User Login IP Address Teleportation", "Non-owner mailbox login activity", "Powershell or non-browser mailbox login activity", "Rare User Agent strings" and "Same IP address with multiple csUserAgent" which may indicate that an account is being used from a new device, "Rare domains seen in Cloud Logs", "Same User - Successful logon for a given App and failure on another App within 1m and low distribution", "Anomalous Azure Active Directory Apps based on authentication location", "Anomalous Geo Location Logon", "Anomalous Sign-in Activity", "Azure Active Directory sign-in burst from multiple locations", and "Azure Active Directory signins from new locations".
The following Microsoft Sentinel Analytics queries can identify potential compromise of cloud accounts: "Anomalous User Agent connection attempt" and "New UserAgent observed in last 24 hours", which may indicate that an account is being used from a new device which may belong to an adversary; "Anomalous sign-in location by user account and authenticating application", "GitHub Signin Burst from Multiple Locations", "GitHub Activites from a New Country", and "Sign-ins from IPs that attempt sign-ins to disabled accounts", which may indicate adversary access from atypical locations; "Azure Active Directory PowerShell accessing non-AAD resources", "Anomalous login followed by Teams action", "Login to AWS management console without MFA", and "Azure Active Directory PowerShell accessing non-AAD resources" which may indicate an adversary attempting to use a valid account to access resources from other contexts. The "Correlate Unfamiliar sign-in properties" query can further enhance detection of anomalous activity.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1080 | Taint Shared Content |
Comments
The Microsoft Sentinel Analytics "Potential Build Process Compromise" query can detect when source code files have been modified immediately after the build process has started. The Microsoft Sentinel Analytics "ADO Build Variable Modified by New User" query may indicate malicious modification to the build process to taint shared content.
The coverage for these queries is minimal (specific to Azure DevOps) resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1082 | System Information Discovery |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate host information like OS, architecture, applied patches, etc., but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1083 | File and Directory Discovery |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes modules for finding files of interest on hosts and network shares, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1087 | Account Discovery |
Comments
This control provides specific forms of minimal coverage for half of this technique's sub-techniques, but does not address other procedures, resulting in an overall score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1087.001 | Local Account |
Comments
The Microsoft Sentinel Hunting "Enumeration of users and groups" query can identify potentially malicious account discovery through the use of the net tool.
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can acquire local and domain user account information, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1087.002 | Domain Account |
Comments
The Microsoft Sentinel Hunting "Enumeration of users and groups" query can identify potentially malicious account discovery through the use of the net tool.
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can acquire local and domain user account information, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1087.003 | Email Account |
Comments
The Microsoft Sentinel Analytics "Mail.Read Permissions Granted to Application" query can identify applications that may have been abused to gain access to mailboxes.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1090 | Proxy |
Comments
This control provides minimal coverage for one sub-technique of this technique, resulting in an overall coverage score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1090.003 | Multi-hop Proxy |
Comments
The Microsoft Sentinel Analytics "DNS events related to ToR proxies" query can identify potential use of Tor, though it provides only minimal coverage because it only covers a set of common domains and is easily bypassed via hardcoded IP addresses, redirection, etc.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1098 | Account Manipulation |
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious manipulation of accounts to increase or maintain access: "Azure DevOps - Guest users access enabled", "Azure DevOps - Additional Org Admin added", "Anomalous Activity Role Assignment", "Anomalous Role Assignment", and "Anomalous AAD Account Manipulation", which indicate expansion of accounts' access/privileges; "Bots added to multiple teams" which indicates workspace access granted to automated accounts.
The following Microsoft Sentinel Analytics queries can identify potentially malicious manipulation of accounts to increase or maintain access: "Suspicious granting of permissions to an account" from a previously unobserved IP address, "External user added and removed in short timeframe" for Teams resources, "Account added and removed from privileged group", "User account added to built in domain local or global group", and "New user created and added to the built-in administrator group". "Multiple Password Reset by user" can detect potentially malicious iterative password resets.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1098.001 | Additional Cloud Credentials |
Comments
The Microsoft Sentinel Hunting "First access credential added to Application or Service Principal where no credential was present" query can identify potentially malicious changes to Service Principal credentials.
The Microsoft Sentinel Analytics "Credential added after admin consented to Application" and "New access credential added to Application or Service Principal" queries can identify potentially malicious manipulation of additional cloud credentials.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1102 | Web Service |
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1102.002 | Bidirectional Communication |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use Dropbox and GitHub for command and control, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1105 | Ingress Tool Transfer |
Comments
The Microsoft Sentinel Hunting "Crypto currency miners EXECVE" query can detect cryptocurrency mining software downloads through EXECVE.
The following Microsoft Sentinel Analytics queries can identify potentiall malicious tool transfer: "Linked Malicious Storage Artifacts" may identify potential adversary tool downloads that are missed by anti-malware. "Powershell Empire cmdlets seen in command line" detects downloads via Empire. "New executable via Office FileUploaded Operations" can identify ingress of malicious code and attacker tools to Office services such as SharePoint and OneDrive, but with potential for high false positive rates from normal user upload activity.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1106 | Native API |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes a variety of enumeration modules that have an option to use API calls to carry out tasks, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1110 | Brute Force |
Comments
This control includes partial detection coverage for most of this technique's sub-techniques on a periodic basis.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1110.001 | Password Guessing |
Comments
The "Summary of user logons by logon type" Microsoft Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement.
The following Microsoft Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: "VIP account more than 6 failed logons in 10", "Multiple Failed Logon on SQL Server in Short time Span", "Permutations on logon attempts by UserPrincipalNames indicating potential brute force", "Potential IIS brute force", "Failed attempt to access Azure Portal", "Failed Login Attempt by Expired account", "Failed Logon Attempts on SQL Server", "Failed Logon on SQL Server from Same IPAddress in Short time Span", "Failed service logon attempt by user account with available AuditData", "Login attempt by Blocked MFA user", "Login spike with increase failure rate", "Attempts to sign-in to disabled accounts by IP address", "Attempts to sign-in to disabled accounts by account name", "Brute Force attack against Azure Portal", and "Anomalous Failed Logon"
The following Microsoft Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: "Brute force attack against Azure Portal", "Password spray attack against Azure AD application", "Successful logon from IP and failure from a different IP", "Failed logon attempts in authpriv", "Failed AzureAD logons but success logon to host", "Excessive Windows logon failures", "Failed login attempts to Azure Portal", "Failed logon attempts by valid accounts within 10 mins", "Brute Force Attack against GitHub Account", "Distributed Password cracking attempts in AzureAD", "Potential Password Spray Attack" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, "Attempts to sign in to disabled accounts", "Sign-ins from IPs that attempt sign-ins to disabled accounts", "High count of failed logins by a user", "Hi count of failed attempts same client IP", "SSH - Potential Brute Force", and "SecurityEvent - Multiple authentication failures followed by success".
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1110.003 | Password Spraying |
Comments
The "Summary of user logons by logon type" Microsoft Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement.
The following Microsoft Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: "VIP account more than 6 failed logons in 10", "Multiple Failed Logon on SQL Server in Short time Span", "Permutations on logon attempts by UserPrincipalNames indicating potential brute force", "Potential IIS brute force", "Failed attempt to access Azure Portal", "Failed Login Attempt by Expired account", "Failed Logon Attempts on SQL Server", "Failed Logon on SQL Server from Same IPAddress in Short time Span", "Failed service logon attempt by user account with available AuditData", "Login attempt by Blocked MFA user", "Login spike with increase failure rate", "Attempts to sign-in to disabled accounts by IP address", "Attempts to sign-in to disabled accounts by account name", "Brute Force attack against Azure Portal", and "Anomalous Failed Logon"
The following Microsoft Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: "Brute force attack against Azure Portal", "Password spray attack against Azure AD application", "Successful logon from IP and failure from a different IP", "Failed logon attempts in authpriv", "Failed AzureAD logons but success logon to host", "Excessive Windows logon failures", "Failed login attempts to Azure Portal", "Failed logon attempts by valid accounts within 10 mins", "Brute Force Attack against GitHub Account", "Distributed Password cracking attempts in AzureAD", "Potential Password Spray Attack" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, "Attempts to sign in to disabled accounts", "Sign-ins from IPs that attempt sign-ins to disabled accounts", "High count of failed logins by a user", "Hi count of failed attempts same client IP", "SSH - Potential Brute Force", and "SecurityEvent - Multiple authentication failures followed by success".
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1110.004 | Credential Stuffing |
Comments
The "Summary of user logons by logon type" Microsoft Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement.
The following Microsoft Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: "VIP account more than 6 failed logons in 10", "Multiple Failed Logon on SQL Server in Short time Span", "Permutations on logon attempts by UserPrincipalNames indicating potential brute force", "Potential IIS brute force", "Failed attempt to access Azure Portal", "Failed Login Attempt by Expired account", "Failed Logon Attempts on SQL Server", "Failed Logon on SQL Server from Same IPAddress in Short time Span", "Failed service logon attempt by user account with available AuditData", "Login attempt by Blocked MFA user", "Login spike with increase failure rate", "Attempts to sign-in to disabled accounts by IP address", "Attempts to sign-in to disabled accounts by account name", "Brute Force attack against Azure Portal", and "Anomalous Failed Logon"
The following Microsoft Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: "Brute force attack against Azure Portal", "Password spray attack against Azure AD application", "Successful logon from IP and failure from a different IP", "Failed logon attempts in authpriv", "Failed AzureAD logons but success logon to host", "Excessive Windows logon failures", "Failed login attempts to Azure Portal", "Failed logon attempts by valid accounts within 10 mins", "Brute Force Attack against GitHub Account", "Distributed Password cracking attempts in AzureAD", "Potential Password Spray Attack" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, "Attempts to sign in to disabled accounts", "Sign-ins from IPs that attempt sign-ins to disabled accounts", "High count of failed logins by a user", "Hi count of failed attempts same client IP", "SSH - Potential Brute Force", and "SecurityEvent - Multiple authentication failures followed by success".
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1113 | Screen Capture |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can capture screenshots on Windows, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1114 | Email Collection |
Comments
This control provides minimal coverage for all of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1114.001 | Local Email Collection |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which has the ability to collect emails on a target system. The coverage for these queries is minimal (specific to Empire) resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1114.002 | Remote Email Collection |
Comments
The Microsoft Sentinel Hunting "Suspect Mailbox Export on IIS/OWA" query can identify potential malicious exfiltration hosting via IIS. The Microsoft Sentinel Hunting "Host Exporting Mailbox and Removing Export" query can identify potential exfiltration of data from Exchange servers. The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1114.003 | Email Forwarding Rule |
Comments
The Microsoft Sentinel Hunting "Mail redirect via ExO transport rule" query can detect potentially malicious email redirection, but is limited to Exchange servers only.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1115 | Clipboard Data |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can harvest clipboard data on Windows, but does not address other procedures or platforms.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1119 | Automated Collection |
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious automated collection: "Multiple large queries made by user" and "Query data volume anomolies" can identify that automated queries are being used to collect data in bulk. "New ServicePrincipal running queries" can indicate that an application is performing automated collection via queries.
The following Microsoft Sentinel Analytics queries can identify potentially malicious automated collection: "Mass secret retrieval from Azure Key Vault" and "Azure Key Vault access TimeSeries anomaly" can detect a sudden increase in access counts, which may indicate that an adversary is dumping credentials via automated methods. "Users searching for VIP user activity" can identify potentially suspicious Log Analytics queries by users looking for a listing of 'VIP' activity.
The coverage for these queries is minimal (applicable to specific technologies) resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1125 | Video Capture |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can capture webcam data on Windows, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1127 | Trusted Developer Utilities Proxy Execution |
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1127.001 | MSBuild |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use abuse trusted utilities including MSBuild.exe, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1134 | Access Token Manipulation |
Comments
This control provides minimal coverage of a minority of this technique's sub-techniques, but does not address other procedures, resulting in an overall score of Minimal.
The Microsoft Sentinel Analytics "Azure DevOps Personal Access Token misuse" query can identify anomalous use of Personal Access Tokens, but does not map directly to any sub-techniques.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1134.002 | Create Process with Token |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1134.005 | SID-History Injection |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1135 | Network Share Discovery |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can perform port scans from an infected host, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1136 | Create Account |
Comments
This control provides partial coverage for all of this technique's sub-techniques, resulting in an overall score of Partial.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1136.001 | Local Account |
Comments
The Microsoft Sentinel Hunting "New User created on SQL Server" query can detect a specific type of potentially malicious local account creation.
The following Microsoft Sentinel Analytics queries can identify potentially malicious local account creation: "Summary of users created using uncommon/undocumented commandline switches" which can identify use of the net command to create user accounts, "User created by unauthorized user", "User Granted Access and associated audit activity" and "User Granted Access and Grants others Access" which may identify account creation followed by suspicious behavior, "User account created and deleted within 10 mins" which suggests an account may have existed only long enough to fulfill a malicious purpose, and "Powershell Empire cmdlets seen in command line" which can identify use of Empire, including for account creation.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1136.002 | Domain Account |
Comments
The following Microsoft Sentinel Analytics queries can identify potentially malicious domain account creation: "Summary of users created using uncommon/undocumented commandline switches" which can identify use of the net command to create user accounts, "User created by unauthorized user", "User Granted Access and associated audit activity" and "User Granted Access and Grants others Access" which may identify account creation followed by suspicious behavior, "User account created and deleted within 10 mins" which suggests an account may have existed only long enough to fulfill a malicious purpose, and "Powershell Empire cmdlets seen in command line" which can identify use of Empire, including for account creation.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1136.003 | Cloud Account |
Comments
The Microsoft Sentinel Hunting queries can identify potentially malicious cloud account creation: "External user added and removed in short timeframe" and "External user from a new organisation added" can identify the addition of new external Teams user accounts.
The following Microsoft Sentinel Analytics queries can identify potentially malicious cloud account creation: "User Granted Access and created resources" which identifies a newly created user account gaining access and creating resources in Azure, and "New Cloud Shell User".
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1137 | Office Application Startup |
Comments
This control only provides minimal to partial coverage for a minority of this technique's
sub-techniques and does not address all of its procedures, resulting in an overall score
of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1137.005 | Outlook Rules |
Comments
The following Microsoft Sentinel Analytics queries can identify potentially malicious use of Outlook rules: "Office policy tampering", "Malicious Inbox Rule" which can detect rules intended to delete emails that contain certain keywords (generally meant to warn compromised users about adversary behaviors), and "Mail redirect via ExO transport rule" (potentially to an adversary mailbox configured to collect mail).
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1137.006 | Add-ins |
Comments
The Microsoft Sentinel Hunting "Previously unseen bot or applicaiton added to Teams" [sic] query can detect the addition of a potentially malicious add-in, but is specific to Microsoft Teams.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1140 | Deobfuscate/Decode Files or Information |
Comments
The Microsoft Sentinel Hunting "New PowerShell Scripts encoded on the commandline" query can detect a specific type of obfuscated file.
The Microsoft Sentinel Analytics "Process executed from binary hidden in Base64 encoded file" query can use security event searches to detect decoding by Python, bash/sh, and Ruby.
The coverage for these queries is minimal (e.g. base64, PowerShell) resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1190 | Exploit Public-Facing Application |
Comments
The Microsoft Sentinel Hunting "Potential IIS code injection attempt" query can detect some potential injection attacks against public-facing applications.
The Microsoft Sentinel Analytics "A potentially malicious web request was executed against a web server" query can detect a high ratio of blocked requests and unobstructed requests to a Web Application Firewall (WAF) for a given client IP and hostnam.
The coverage for these queries is minimal (e.g. IIS) resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1195 | Supply Chain Compromise |
Comments
This control provides partial coverage for one of this technique's sub-techniques, and its coverage is more for supply chain concerns of downstream consumers of software developed within the environemnt than the Azure environment itself, resulting in an overall score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious changes to Azure DevOps project resources: "Azure DevOps - Project Visibility changed to public" can identify a specific action that may be an indicator of an attacker modifying the cloud compute infrastructure. "Azure DevOps - Public project created" and "Azure DevOps - Public project enabled by admin" can identify specific instances of potential defense evasion.
The following Microsoft Sentinel Analytics queries can identify potentially malicious changes to Azure DevOps project resources: "AzureDevops Service Connection Abuse" can detect potential malicious behavior associated with use of large number of service connections, "External Upstream Source added to Azure DevOps" identifies a specific behavior that could compromise the DevOps build pipeline, "Azure DevOps Pull Request Policy Bypassing - History" can identify specific potentially malicious behavior that compromises the build process, "Azure DevOps Pipeline modified by a New User" identifies potentially malicious activity that could compromise the DevOps pipeline, "Azure DevOps Administrator Group Monitoring" monitors for specific activity which could compromise the build/release process, "New Agent Added to Pool by New User or a New OS" can detect a suspicious behavior that could potentially compromise DevOps pipeline.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1210 | Exploitation of Remote Services |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes built-in modules for exploiting remote SMB, JBoss, and Jenkins servers, but does not address other procedures. The Microsoft Sentinel Analytics "Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task" query can detect when an adversary gains execution capability on an ADFS server through SMB and Remote Service or Scheduled Task.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1213 | Data from Information Repositories |
Comments
This control provides partial detection coverage for only this technique's SharePoint sub-technique.
The Microsoft Sentinel Hunting "Cross workspace query anomaly" query can identify potential adversary information collection (in this case from Azure ML workspaces), but does not map directly to any sub-techniques.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1213.002 | Sharepoint |
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious access to SharePoint: "SharePointFileOperation via clientIP with previously unseen user agents", "SharePointFileOperation via devices with previously unseen user agents", and "SharePointFileOperation via previously unseen IPs".
The Microsoft Sentinel Analytics "SharePointFileOperation via devices with previously unseen user agents" query can identify a high number of upload or download actions by an unknown and possible malicious actor.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1217 | Browser Information Discovery |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which has the ability to gather browser data including bookmarks and history, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1482 | Domain Trust Discovery |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate domain trusts, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1484 | Domain or Tenant Policy Modification |
Comments
This control provides minimal to partial coverage of both of this technique's sub-techniques, resulting in an overall score of Partial.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1484.001 | Group Policy Modification |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can modify group policy objects to install and execute malicious scheduled tasks, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1484.002 | Trust Modification |
Comments
The Microsoft Sentinel Analytics "Modified Domain Federation Trust Settings" query can detect potentially malicious changes to domain trust settings.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1485 | Data Destruction |
Comments
The Microsoft Sentinel Hunting "Multiple Teams deleted by a single user" query can detect when a threshold is met for number of Teams deleted within an hour. Coverage is minimal because the control is limited to a specific resource (teams) and only works when the threshold is met.
The Microsoft Sentinel Analytics "Multiple Teams deleted by a single user" query can detect when a threshold is met for number of Teams deleted within an hour. Coverage is minimal because the control is limited to a specific resource (teams) and only works when the threshold is met.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1486 | Data Encrypted for Impact |
Comments
The Microsoft Sentinel Analytics "Sensitive Azure Key Vault Operations" query can identify potential attacker activity intended to delete private key(s) required to decrypt content.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1490 | Inhibit System Recovery |
Comments
The Microsoft Sentinel Analytics "Sensitive Azure Key Vault Operations" query can identify potential attacker activity intended to interfere with backups.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1496 | Resource Hijacking |
Comments
The following Microsoft Sentinel Hunting queries can identify potential resource hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources".
The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1505 | Server Software Component |
Comments
This control provides partial coverage for only one of this technique's sub-techniques, resulting in overall coverage of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1505.003 | Web Shell |
Comments
The Microsoft Sentinel Hunting "Web shell command alert enrichment", "Web shell Detection", and "Web shell file alert enrichment" queries can identify potentially malicious activity via web shell.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1518 | Software Discovery |
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1518.001 | Security Software Discovery |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate antivirus software on the target, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1528 | Steal Application Access Token |
Comments
The Microsoft Sentinel Hunting "Consent to Application discovery" query can identify recent permissions granted by a user to a particular app.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1530 | Data from Cloud Storage |
Comments
The Microsoft Sentinel Hunting "Anomalous Data Access" query identifies all users performing out-of-profile read operations regarding data or files, which may be indicative of adversarial collection from cloud storage objects.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1531 | Account Access Removal |
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious behavior on user accounts: "AD Account Lockout", "Anomalous Password Reset", "SQL User deleted from Database", "User removed from SQL Server Roles", and "User removed from SQL Server SecurityAdmin Group".
The Microsoft Sentinel Analytics "Sensitive Azure Key Vault operations" query can identify attempts to remove account access by deleting keys or entire key vaults.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1535 | Unused/Unsupported Cloud Regions |
Comments
The Microsoft Sentinel Analytics "Suspicious Resource deployment" query can identify adversary attempts to maintain persistence or evade defenses by leveraging unused and/or unmonitored resources.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1543 | Create or Modify System Process |
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1543.003 | Windows Service |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can modify service binaries and restore them to their original states, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1546 | Event Triggered Execution |
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1546.008 | Accessibility Features |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can leverage WMI debugging to remotely replace binaries like seth.exe, utilman.exe, and magnify.exe with cmd.exe, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1547 | Boot or Logon Autostart Execution |
Comments
This control can identify three of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1547.001 | Registry Run Keys / Startup Folder |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1547.005 | Security Support Provider |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1547.009 | Shortcut Modification |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1548 | Abuse Elevation Control Mechanism |
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1548.002 | Bypass User Account Control |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes various modules to attempt to bypass UAC for privilege escalation, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1550 | Use Alternate Authentication Material |
Comments
This control provides minimal coverage of half of this technique's sub-techniques, without additional coverage of procedure examples, resulting in an overall score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1550.001 | Application Access Token |
Comments
The Microsoft Sentinel Analytics "Azure DevOps - PAT used with Browser." query can identify potentially malicious usage of Personal Access Tokens intended for code or applications to be used through the web browser.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1550.002 | Pass the Hash |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can perform pass the hash attacks, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1552 | Unsecured Credentials |
Comments
This control provides minimal to partial coverage for a minority of this technique's sub-techniques, resulting in an overall detection score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1552.001 | Credentials In Files |
Comments
The Microsoft Sentinel Hunting "Query looking for secrets" query can identify potentially malicious database requests for secrets like passwords or other credentials.
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use various modules to search for files containing passwords, but does not address other procedures.
The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1552.004 | Private Keys |
Comments
The Microsoft Sentinel Analytics "ADFS DKM Master Key Export" and "ADFS Key Export (Sysmon)" queries can detect potentially malicious access intended to decrypt access tokens. The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use modules to extract private key and session information, but does not address other procedures.
The coverage for these queries is minimal (specific to Empire, ADFS) resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1552.007 | Container API | |
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1555 | Credentials from Password Stores |
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1555.003 | Credentials from Web Browsers |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can extract passwords from common web browsers including Firefox and Chrome, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1556 | Modify Authentication Process |
Comments
The Microsoft Sentinel Hunting "Azure DevOps Conditional Access Disabled" query can identify potentially malicious modifications of the DevOps access policy.
The Microsoft Sentinel Analytics "MFA disabled for a user" and "GitHub Two Factor Auth Disable" queries can detect potentially malicious changes in multi-factor authentication settings.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1557 | Adversary-in-the-Middle |
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1558 | Steal or Forge Kerberos Tickets |
Comments
This control only provides minimal to partial coverage for some this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1558.001 | Golden Ticket |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect execution of these sub-techniques via Empire, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1558.002 | Silver Ticket |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect execution of these sub-techniques via Empire, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1558.003 | Kerberoasting |
Comments
Microsoft Sentinel Analytics includes a "Potential Kerberoasting" query. Kerberoasting via Empire can also be detected using the Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1560 | Archive Collected Data |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can ZIP directories on target systems, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1562 | Impair Defenses |
Comments
This control provides minimal (mostly) to partial coverage for most of this technique's sub-techniques, resulting in an overall score of Minimal.
The Microsoft Sentinel Hunting "Anomalous Defensive Mechanism Modification" query detects users performing delete operations on security policies, which may indicate an adversary attempting to impair defenses.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1562.001 | Disable or Modify Tools |
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious modifications to Sentinel resources: "Microsoft Sentinel Analytics Rules Administrative Operations", "Microsoft Sentinel Connectors Administrative Operations", and "Microsoft Sentinel Workbooks Administrative Operations".
The Microsoft Sentinel Analytics "Starting or Stopping HealthService to Avoid Detection" query can detect potentially malicious disabling of telemetry collection/detection.
The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1562.002 | Disable Windows Event Logging |
Comments
The Microsoft Sentinel Analytics "Audit policy manipulation using auditpol utility" query can detect potentially malicious to modification and/or disabling of logging via the auditpol utility. The coverage for these queries is minimal (specific to Audit policy) resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1562.006 | Indicator Blocking |
Comments
The Microsoft Sentinel Hunting "Microsoft Sentinel Analytics Rules Administrative Operations" query can identify potential attempts to impair defenses by changing or deleting detection analytics.
The Microsoft Sentinel Analytics "Azure DevOps - Retention Reduced to Zero" query can identify that an adversary is looking to reduce their malicious activity's footprint by preventing retention of artifacts. Control is specific to indicators produced by Azure DevOps. The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1562.007 | Disable or Modify Cloud Firewall |
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious modifications to cloud firewall resources: "Azure Network Security Group NSG Administrative Operations" query can identify potential defensive evasion involving changing or disabling network access rules. "Port opened for an Azure Resource" may indicate an adversary increasing the accessibility of a resource for easier collection/exfiltration.
The Microsoft Sentinel Analytics "Security Service Registry ACL Modification" query can detect attempts to modify registry ACLs, potentially done to evade security solutions.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1562.008 | Disable or Modify Cloud Logs |
Comments
The Microsoft Sentinel Analytics "Exchange AuditLog disabled" query can detect potentially malicious disabling of Exchange logs. The Microsoft Sentinel Analytics "Azure DevOps Audit Stream Disabled" query can identify disabling of Azure DevOps log streaming. The coverage for these queries is minimal (specific to these technologies) resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1567 | Exfiltration Over Web Service |
Comments
This control provides minimal coverage to both of this technique's sub-techniques as well as some of its procedure examples, resulting in an overall score of Minimal.
The Microsoft Sentinel Analytics "Malformed user agent" query can detect potential exfiltration over a web service by malicious code with a hard-coded user agent string, or possibly data encoded via the user agent string.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1567.001 | Exfiltration to Code Repository |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Microsoft Sentinel Analytics "SharePointFileOperation via previously unseen IPs" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1567.002 | Exfiltration to Cloud Storage |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Microsoft Sentinel Analytics "SharePointFileOperation via previously unseen IPs" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1568 | Dynamic Resolution |
Comments
This control only provides partial coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1568.002 | Domain Generation Algorithms |
Comments
The Microsoft Sentinel Hunting "Potential DGA detected" query can detect clients with a high NXDomain count, which might indicate an adversary cycling through possible C2 domains where most C2s are not live.
The following Microsoft Sentinel Analytics queries can identify potential use of domain generation algorithms: "Possible contact with a domain generated by a DGA" and "Potential DGA detected" within DNS.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1569 | System Services |
Comments
This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1569.002 | Service Execution |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use PsExec to execute a payload on a remote host, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1573 | Encrypted Channel |
Comments
This control provides minimal coverage for one sub-technique of this technique, resulting in an overall coverage score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1573.002 | Asymmetric Cryptography |
Comments
The following Microsoft Sentinel Analytics queries can detect potentially malicious usage of asymmetric cryptography channels: "DNS events related to ToR proxies" can identify potential use of Tor, though it provides only minimal coverage because it only covers a set of common domains and is easily bypassed via hardcoded IP addresses, redirection, etc. "Powershell Empire cmdlets seen in command line" can identify use of Empire, which can use TLS to encrypt a command and control channel.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1574 | Hijack Execution Flow |
Comments
This control can identify several of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1574.001 | DLL Search Order Hijacking |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1574.007 | Path Interception by PATH Environment Variable |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1574.008 | Path Interception by Search Order Hijacking |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1574.009 | Path Interception by Unquoted Path |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1578 | Modify Cloud Compute Infrastructure |
Comments
The Microsoft Sentinel Hunting "Azure Resources assigned Public IP addresses" query detect suspicious IP address changes.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1580 | Cloud Infrastructure Discovery |
Comments
The Microsoft Sentinel Hunting "Azure storage key enumeration" query can identify potential attempts by an attacker to discover cloud infrastructure resources.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1590 | Gather Victim Network Information |
Comments
This control detects a highly specific behavior that applies to one sub-technique of this technique.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1590.002 | DNS |
Comments
The Microsoft Sentinel Analytics "Rare client observed with high reverse DNS lookup count" query can detect if a particular IP is observed performing an unusually high number of reverse DNS lookups and has not been observed doing so previously.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1595 | Active Scanning |
Comments
The Microsoft Sentinel Analytics "Malformed user agent" query can detect hard-coded user-agent strings associated with some vulnerability scanning tools.
This control provides partial coverage for only one of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1595.002 | Vulnerability Scanning |
Comments
The Microsoft Sentinel Analytics "High count of connections by client IP on many ports" query can identify client IP addresses with 30 or more active ports used within a ten minute window, checked at a default frequency of once per hour, which may indicate scanning. Note that false positives are probable based on changes in usage patterns and/or misconfiguration, and this detection only works if scanning is not spread out over a longer timespan.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1016.002 | Wi-Fi Discovery |
Comments
Microsoft Sentinel's ability to detect entities scanning the network configuration also covers the scanning of Wi-Fi connections, providing a detection mechanism against this technique.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1021.007 | Cloud Services |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can acquire network configuration information including DNS servers and network proxies used by a host, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1021.008 | Direct Cloud VM Connections |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can acquire network configuration information including DNS servers and network proxies used by a host, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1059.010 | AutoHotKey & AutoIT |
Comments
Microsoft Sentinel can potentially detect the use of malicious code, including automation scripts.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1059.011 | Lua |
Comments
Microsoft Sentinel can potentially detect the use of malicious code, including Lua scripts.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1070.010 | Relocate Malware |
Comments
Microsoft Sentinel's ability to detect suspicious activity could detect malware relocation occurring on a system or network.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1071.005 | Publish/Subscribe Protocols |
Comments
Microsoft Sentinel can ingest pub/sub logs to determine if pub/sub protocol channels have been used for malicious activity. However, these determinations are met using a set of threat detection rules, meaning that adversaries who are able to skirt those rules may not be detected, leading to a partial rating.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1496.001 | Compute Hijacking |
Comments
The following Microsoft Sentinel Hunting queries can identify potential compute hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources".
The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1496.002 | Bandwidth Hijacking |
Comments
The following Microsoft Sentinel Hunting queries can identify potential compute hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources".
The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1496.003 | SMS Pumping |
Comments
The following Microsoft Sentinel Hunting queries can identify potential compute hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources".
The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | partial | T1496.004 | Cloud Service Hijacking |
Comments
The following Microsoft Sentinel Hunting queries can identify potential resource hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources".
The following Microsoft Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1543.005 | Container Service |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can modify service binaries and restore them to their original states, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1547.013 | XDG Autostart Entries |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1547.014 | Active Setup |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1547.015 | Login Items |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.
References
|
microsoft_sentinel | Microsoft Sentinel | detect | minimal | T1648 | Serverless Execution |
Comments
Integrating Azure Functions with Azure Monitor Logs and Microsoft Sentinel can provide insights into Serverless Execution activities and unusual Serverless function modifications.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | significant | T1078.004 | Cloud Accounts |
Comments
This control may generate alerts based on unfamiliar or suspicious IP addresses, TOR exit node, and anonymous access.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | significant | T1530 | Data from Cloud Storage |
Comments
A variety of alerts may be generated by malicious access and enumeration of Azure Storage.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | respond | partial | T1105 | Ingress Tool Transfer |
Comments
When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | respond | partial | T1080 | Taint Shared Content |
Comments
When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | partial | T1537 | Transfer Data to Cloud Account |
Comments
This control may alert on unusually large amounts of data being extracted from Azure storage and suspicious access to storage accounts. There are no alerts specifically tied to data transfer between cloud accounts but there are several alerts for anomalous storage access and transfer.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | partial | T1105 | Ingress Tool Transfer |
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | partial | T1080 | Taint Shared Content |
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | minimal | T1485 | Data Destruction |
Comments
This control may generate alerts when there has been an unusual or unexpected delete operation within Azure cloud storage. Alerts may not be generated by disabling of storage backups, versioning, or editing of storage objects.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | minimal | T1078 | Valid Accounts |
Comments
This control provides minimal detection for its procedure examples. Additionally, it is able to detect only one of its sub-techniques (Cloud Accounts) resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1003 | OS Credential Dumping |
Comments
Most credential dumping operations do not require modifying resources that can be detected by this control (i.e. Registry and File system) and therefore its coverage is minimal.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1098 | Account Manipulation |
Comments
This control can detect account manipulation.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1137 | Office Application Startup |
Comments
This control can detect peristence via office application startup.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1546.010 | AppInit DLLs |
Comments
The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1546.015 | Component Object Model Hijacking |
Comments
The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1548 | Abuse Elevation Control Mechanism |
Comments
This control can detect abuse of elevation control mechanisms.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1548.002 | Bypass User Account Control |
Comments
Some UAC bypass methods rely on modifying specific, user-accessible Registry settings that can be monitored using this control. Overall, there are numerous other bypass methods that do not result in Registry modification that this control will not be effective in detection resulting in a low detection coverage factor.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1562 | Impair Defenses |
Comments
Due to low detection coverage, this technique is scored as minimal.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1562.001 | Disable or Modify Tools |
Comments
This control can be used to monitor Registry keys related to security software or event logging processes that can detect when an adversary attempts to disable these tools via modifying or deleting Registry keys. A majority of the cited procedure examples for this sub-technique are related to killing security processes rather than modifying the Registry, and therefore the detection coverage for this control is low.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1562.004 | Disable or Modify System Firewall |
Comments
There are numerous ways depending on the operating system that these sub-techniques can be accomplished. Monitoring the Windows Registry is one way depending on the procedure chosen to implement the sub-technique and therefore the overall coverage is low.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1562.006 | Indicator Blocking |
Comments
There are numerous ways depending on the operating system that these sub-techniques can be accomplished. Monitoring the Windows Registry is one way depending on the procedure chosen to implement the sub-technique and therefore the overall coverage is low.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1574 | Hijack Execution Flow |
Comments
This control can detect hijacked execution flow.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1003.001 | LSASS Memory |
Comments
This control can be used to detect the Windows Security Support Provider (SSP) DLLs variation of this sub-technique by monitoring the Registry keys used to register these DLLs. These keys should change infrequently and therefore false positives should be minimal.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1036.007 | Double File Extension |
Comments
This control can detect when files with two file extensions are created.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1036.008 | Masquerade File Type |
Comments
This control can detect if files are created or edited where the header and extension do not match.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1037 | Boot or Logon Initialization Scripts |
Comments
This control can detect abuse of boot or logon initialization scripts.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1037.001 | Logon Script (Windows) |
Comments
This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1037.003 | Network Logon Script |
Comments
This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1053.001 | At (Linux) |
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1053.002 | At |
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1053.003 | Cron |
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1053.005 | Scheduled Task |
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1053.006 | Systemd Timers |
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1070.007 | Clear Network Connection History and Configurations |
Comments
This control can detect changes to files associated with this technique.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1070.008 | Clear Mailbox Data |
Comments
This control can detect changes to files associated with this technique.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1070.009 | Clear Persistence |
Comments
This control can detect changes to files associated with this technique.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1070.010 | Relocate Malware |
Comments
This control can detect changes to files associated with this technique.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1098.004 | SSH Authorized Keys |
Comments
This control may detect changes to the SSH authorized keys file which may indicate establishment of persistence. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1137.002 | Office Test |
Comments
This control may detect changes to the Windows registry to establish persistence with the Office Test sub-technique. The specificity of registry keys involved may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1222 | File and Directory Permissions Modification |
Comments
This control can detect file and directory permissions modification.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1222.001 | Windows File and Directory Permissions Modification |
Comments
This control can detect changes to the permissions of Windows and Linux files and can be used to detect modifications to sensitive directories and files that shouldn't change frequently. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1222.002 | Linux and Mac File and Directory Permissions Modification |
Comments
This control can detect changes to the permissions of Windows and Linux files and can be used to detect modifications to sensitive directories and files that shouldn't change frequently. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1505.004 | IIS Components |
Comments
This control can detect when files associated with the technique are created or modified, such as %windir%\system32\inetsrv\config\applicationhost.config.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1505.005 | Terminal Services DLL |
Comments
This control can detect when files or registry keys associated with this technique are created or modified, such as termsrv.dll and ServiceDll.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1543 | Create or Modify System Process |
Comments
This control can detect creation or modification of system-level processes.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1543.002 | Systemd Service |
Comments
This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1543.003 | Windows Service |
Comments
This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546 | Event Triggered Execution |
Comments
The detection score for this technique was assessed as Partial because it doesn't detect some of the sub-techniques of this technique such as Windows Management Instrumentation (WMI) Event Subscription and Trap sub-techniques. Additionally for some sub-techniques, this control can be noisy.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.001 | Change Default File Association |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.002 | Screensaver |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.004 | Unix Shell Configuration Modification |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.007 | Netsh Helper DLL |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.008 | Accessibility Features |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.009 | AppCert DLLs |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.011 | Application Shimming |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.012 | Image File Execution Options Injection |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.013 | PowerShell Profile |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.016 | Installer Packages |
Comments
This control can detect event triggered execution via installer packages.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.017 | Udev Rules |
Comments
This control can detect event triggered execution via udev rules.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547 | Boot or Logon Autostart Execution |
Comments
This control can detect boot or logon autostart execution.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.001 | Registry Run Keys / Startup Folder |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.002 | Authentication Package |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.003 | Time Providers |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.004 | Winlogon Helper DLL |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.005 | Security Support Provider |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.006 | Kernel Modules and Extensions |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.008 | LSASS Driver |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.009 | Shortcut Modification |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.010 | Port Monitors |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.012 | Print Processors |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.014 | Active Setup |
Comments
This control can detect commands or registry key modifications associated with Active Setup such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1548.003 | Sudo and Sudo Caching |
Comments
This control may detect changes to the sudoers file which may indicate privilege escalation. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1553 | Subvert Trust Controls |
Comments
This control can be used to detect a subset of this technique's sub-techniques while minimizing the false positive rate.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1553.003 | SIP and Trust Provider Hijacking |
Comments
This control can detect modifications made to the Registry keys used to register Windows Subject Interface Packages (SIPs). Because this sub-technique can be accomplished without modifying the Registry via DLL Search Order Hijacking, it has been scored as Partial. The related Registry keys should not change often and therefore the false positive rate should be minimal. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1553.004 | Install Root Certificate |
Comments
This control can be used to detect when the system root certificates has changed by detecting the corresponding Registry or File system modifications that occur as a result. These root certificates should not change often and therefore the false positive rate is minimal. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1556 | Modify Authentication Process |
Comments
This control is effective for detecting the Registry and file system artifacts that are generated during the execution of some variations of this technique while minimizing false positives due to the locations being monitored changing infrequently (e.g. /etc/pam.d/).
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1556.002 | Password Filter DLL |
Comments
The Registry key used to register a Password Filter DLL can be monitored for changes using this control providing substantial coverage of this sub-technique. This key should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1556.003 | Pluggable Authentication Modules |
Comments
The PAM configuration and module paths (/etc/pam.d/) can be monitored for changes using this control. The files in this path should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1556.007 | Hybrid Identity |
Comments
This control can monitor for suspicious modification of files associated with hybrid identity authentication processes, such as configuration files.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1556.008 | Network Provider DLL |
Comments
This control can monitor for creation or changes to registry keys associated with network provider DLL such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1564.008 | Email Hiding Rules |
Comments
This control can detect when files are modified related to email rules such as RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist on MacOS.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1564.009 | Resource Forking |
Comments
This control can detect when files are created or modified related to resource forking.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1564.012 | File/Path Exclusions |
Comments
This control can detect when files are created in folders associated with or spoofing that of trusted applications.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1574.006 | Dynamic Linker Hijacking |
Comments
This control may detect changes to the ld.so.preload file which may indicate an attempt to hijack execution flow. This sub-technique may also be utilized through an environment variable which this control may not detect. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1574.007 | Path Interception by PATH Environment Variable |
Comments
This control can detect file changes on VMs indicative of Path Interception by PATH Environment Variable.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1574.008 | Path Interception by Search Order Hijacking |
Comments
This control can detect file changes on VMs indicative of Path Interception by Search Order Hijacking.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1574.009 | Path Interception by Unquoted Path |
Comments
This control can detect file changes on VMs indicative of Path Interception by Unquoted Path.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1574.014 | AppDomainManager |
Comments
This control can detect file changes on VMs indicative of hijacking of the AppDomainManager.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | significant | T1053 | Scheduled Task/Job |
Comments
This control can detect scheduled tasks/jobs.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | detect | minimal | T1525 | Implant Internal Image |
Comments
This control may alert on Docker containers that are misconfigured or do not conform to CIS Docker Benchmarks. This may result in detection of container images implanted within Linux VMs with specific vulnerabilities or misconfigurations for malicious purposes.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1005 | Data from Local System |
Comments
This control may provide recommendations that limit the ability of an attacker to gain access to a host from a container, preventing the attacker from discovering and compromising local system data.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1021 | Remote Services |
Comments
This control can protect against abuse of remote services.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1021.004 | SSH |
Comments
This control may provide recommendations to ensure sshd is not running within Docker containers. This can prevent attackers from utilizing unmonitored SSH servers within containers. This may not prevent attackers from installing a SSH server in containers or hosts.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1040 | Network Sniffing |
Comments
This control may recommend usage of TLS to encrypt communication between the Docker daemon and clients. This can prevent possible leakage of sensitive information through network sniffing.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1068 | Exploitation for Privilege Escalation |
Comments
This control may provide recommendations on how to reduce the surface area and mechanisms by which an attacker could escalate privileges.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1083 | File and Directory Discovery |
Comments
This control may provide recommendations to ensure sensitive host system directories are not mounted in the container.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1548 | Abuse Elevation Control Mechanism |
Comments
This control is only relevant for Linux endpoints containing Docker containers.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1548.001 | Setuid and Setgid |
Comments
This control may provide recommendations to remove setuid and setguid permissions from container images. It may not be feasible to audit and remediate all binaries that have and require setuid and setguid permissions.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | partial | T1021.007 | Cloud Services |
Comments
This control can protect against abuse of remote cloud services.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | partial | T1021.008 | Direct Cloud VM Connections |
Comments
This control can protect against abuse of direct cloud VM connections.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | partial | T1098 | Account Manipulation |
Comments
This capability can protect against Account Manipulation by requiring DevOps best practices.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | partial | T1098.001 | Additional Cloud Credentials |
Comments
This capability can protect against creation of additional cloud credentials by requiring DevOps best practices.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | partial | T1213.003 | Code Repositories |
Comments
This control can protect against repository misconfigurations.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | partial | T1552.007 | Container API |
Comments
This capability can protect against unsecured Container API credentials by ensuring credential security is part of the DevOps process.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | partial | T1557 | Adversary-in-the-Middle |
Comments
This capability can protect against adversary-in-the-middle attacks by ensuring encryption is baked into the DevOps process of applications.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | partial | T1564.009 | Resource Forking |
Comments
This control can provide DevOps guidance that applications should use the application bundle structure which leverages the /Resources folder location to mitigate resource forking.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | partial | T1593.003 | Code Repositories |
Comments
This control can protect code repositories by employing DevSecOps best practices.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | significant | T1189 | Drive-by Compromise |
Comments
This capability can protect against drive by compromise by ensuring application security is baked into DevOps.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | significant | T1190 | Exploit Public-Facing Application |
Comments
This capability can protect against exploitation of public facing applications by ensuring application security is baked into DevOps.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1078 | Valid Accounts |
Comments
This control only provides alerts for a set of Azure database offerings. Databases that have been deployed to endpoints within Azure or third-party databases deployed to Azure do not generate alerts for this control.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1110 | Brute Force |
Comments
This control covers the majority of sub-techniques for this parent technique and may cover both successful and unsuccessful brute force attacks. This control only provides alerts for a set of Azure database offerings. Databases that have been deployed to endpoints within Azure or third-party databases deployed to Azure do not generate alerts for this control.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1110.001 | Password Guessing |
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1110.003 | Password Spraying |
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1110.004 | Credential Stuffing |
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1190 | Exploit Public-Facing Application |
Comments
This control may alert on usage of faulty SQL statements. This generates an alert for a possible SQL injection by an application. Alerts may not be generated on usage of valid SQL statements by attackers for malicious purposes.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1213 | Data from Information Repositories |
Comments
This control may alert on extraction of a large amount of data to an unusual location. No documentation is provided on the logic for determining an unusual location.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | partial | T1078.004 | Cloud Accounts |
Comments
This control may alert on logon events that are suspicious. This includes logins from unusual locations, logins from suspicious IP addresses, and users that do not commonly access the resource. These alerts may limit the ability of an attacker to utilize a valid cloud account to access and manipulate Azure databases.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1040 | Network Sniffing |
Comments
This control's recommendations related to enforcing the usage of the secure versions of the HTTP and FTP protocols (HTTPS and FTPS) can lead to encrypting traffic which reduces the ability for an adversary to gather sensitive data via network sniffing.
This also applies to the "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", "Enforce SSL connection should be enabled for MySQL database servers", "Enforce SSL connection should be enabled for PostgreSQL database servers", "Only secure connections to your Redis Cache should be enabled" and "Secure transfer to storage accounts should be enabled" recommendations for their respective protocols.
The "Usage of host networking and ports should be restricted" recommendation for Kubernetes clusters can also lead to mitigating this technique.
These recommendations are limited to specific technologies on the platform and therefore its coverage score is Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1053 | Scheduled Task/Job |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a few of the sub-techniques of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1053.003 | Cron |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1053.006 | Systemd Timers |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1078 | Valid Accounts |
Comments
This control's recommendations about removing deprecated and external accounts with sensitive permissions from your subscription can lead to mitigating the Cloud Accounts sub-technique of this technique. Because this is a recommendation and has low coverage, it is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1078.004 | Cloud Accounts |
Comments
This control's "Deprecated accounts should be removed from your subscription" and "Deprecated accounts with owner permissions should be removed from your subscription" recommendation can lead to removing accounts that should not be utilized from your subscriptions thereby denying adversaries the usage of these accounts to find ways to access your data without being noticed.
Likewise, the recommendations related to External account permissions can also mitigate this sub-technique.
Because these are recommendations and only limited to deprecated and external accounts, this is scored as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1098 | Account Manipulation |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can prevent modifying the ssh_authorized keys file. Because it is a recommendation and limited to only one sub-technique, its score is Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1098.004 | SSH Authorized Keys |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of a Kubernetes container's file system which can mitigate this technique. Because this recommendation is specific to Kubernetes containers, its score is Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1110 | Brute Force |
Comments
This control's "Authentication to Linux machines should require SSH keys" recommendation can lead to obviating SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1110.001 | Password Guessing |
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1110.003 | Password Spraying |
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1110.004 | Credential Stuffing |
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1136 | Create Account |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1190 | Exploit Public-Facing Application |
Comments
This control's CORS related recommendations can help lead to hardened web applications. This can reduce the likelihood of an application being exploited to reveal sensitive data that can lead to the compromise of an environment.
Likewise this control's recommendations related to keeping Java/PHP up to date for API/Function/Web apps can lead to hardening the public facing content that uses these runtimes.
This control's recommendations related to disabling Public network access for Azure databases can lead to reducing the exposure of resources to the public Internet and thereby reduce the attack surface.
These recommendations are limited to specific technologies (Java, PHP and CORS, SQL DBs) and therefore provide Minimal coverage leading to a Minimal score.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1222 | File and Directory Permissions Modification |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1222.002 | Linux and Mac File and Directory Permissions Modification |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the modification of the file system permissions in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1499 | Endpoint Denial of Service |
Comments
This control provides recommendations for limiting the CPU and memory resources consumed by a container to minimize resource exhaustion attacks. Because this control only covers one sub-technique of this technique, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1505 | Server Software Component |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1505.003 | Web Shell |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modifications to the file system in Kubernetes containers which can mitigate adversaries installing web shells. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1543 | Create or Modify System Process |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1543.002 | Systemd Service |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of systemd service files in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1546 | Event Triggered Execution |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1546.004 | Unix Shell Configuration Modification |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of the file system in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1556 | Modify Authentication Process |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-techniques of this technique. Due to it being a recommendation and providing minimal coverage, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1556.003 | Pluggable Authentication Modules |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing this sub-technique which often modifies Pluggable Authentication Modules (PAM) components in the file system. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1564 | Hide Artifacts |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate some of the sub-techniques of this technique. Due to its partial coverage and Minimal score assessed for its sub-techniques, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1564.001 | Hidden Files and Directories |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1564.005 | Hidden File System |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1564.006 | Run Virtual Instance |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1565 | Data Manipulation |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation and mitigating only one sub-technique, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1068 | Exploitation for Privilege Escalation |
Comments
This control's "Container with privilege escalation should be avoided", "Least privileged Linux capabilities should be enforced for containers", "Privileged containers should be avoided", "Running containers as root user should be avoided" and "Containers sharing sensitive host namespaces should be avoided" recommendations can make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities. Because this is a recommendation, the assessed score has been capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1074 | Data Staged |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1074.001 | Local Data Staging |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1080 | Taint Shared Content |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" and "Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers" recommendations can mitigate this technique. Due to it being a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1133 | External Remote Services |
Comments
This control's "Management ports should be closed on your virtual machines" recommendation can lead to reducing the attack surface of your Azure VMs by recommending closing management ports. Because this is a recommendation, its score is limited to Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1136.001 | Local Account |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing system files from being modified in Kubernetes containers thereby mitigating this sub-technique since adding an account (on Linux) requires modifying system files. Because this is a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1485 | Data Destruction |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1486 | Data Encrypted for Impact |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1499.001 | OS Exhaustion Flood |
Comments
This control's "Container CPU and memory limits should be enforced" recommendation can lead to preventing resource exhaustion attacks by recommending enforcing limits for containers to ensure the runtime prevents the container from using more than the configured resource limit. Because this is a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1525 | Implant Internal Image |
Comments
This control's "Container images should be deployed from trusted registries only", "Container registries should not allow unrestricted network access" and "Container registries should use private link" recommendations can lead to ensuring that container images are only loaded from trusted registries thereby mitigating this technique.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1542 | Pre-OS Boot |
Comments
This control provides recommendations for enabling Secure Boot of Linux VMs that can mitigate a few of the sub-techniques of this technique. Because this is a recommendation and only limited to a few sub-techniques of this technique, its assessed score is Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1542.001 | System Firmware |
Comments
This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1542.003 | Bootkit |
Comments
This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1554 | Compromise Host Software Binary |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of binaries in Kubernetes containers thereby mitigating this technique. Because this is a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1562.010 | Downgrade Attack |
Comments
This control may prevent downgrade attacks by enforcing use of HTTPS protocol.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1565.001 | Stored Data Manipulation |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem.
Likewise this control's recommendations related to using customer-managed keys to encrypt data at rest and enabling transparent data encryption for SQL databases can mitigate this sub-technique by reducing an adversary's ability to perform tailored data modifications.
Due to it being a recommendation, its score is capped at Partial.
References
|
ai_threat_protection | Microsoft Defender for Cloud: AI Threat Protection | detect | partial | T1090.003 | Multi-hop Proxy |
Comments
This capability can detect (alert: AI.Azure_AccessFromAnonymizedIP) when an AI is accessed from a Tor network IP.
References
|
ai_threat_protection | Microsoft Defender for Cloud: AI Threat Protection | detect | partial | T1491 | Defacement |
Comments
This capability can alert (using AI.Azure_MaliciousUrl.ModelResponse) when an AI model has shared a malicious URL with a user.
References
|
ai_threat_protection | Microsoft Defender for Cloud: AI Threat Protection | detect | partial | T1552 | Unsecured Credentials |
Comments
This control provides detection of unsecured credentials being divulged by AI model responses.
References
|
ai_threat_protection | Microsoft Defender for Cloud: AI Threat Protection | detect | significant | T1496.004 | Cloud Service Hijacking |
Comments
This capability has multiple alerts (AI.Azure_DOWDuplicateRequests, AI.Azure_DOWVolumeAnomaly) that can detect abuse of an AI for financial impact on an organization.
References
|
alerts_for_azure_cosmos_db | Alerts for Azure Cosmos DB | detect | minimal | T1078 | Valid Accounts |
Comments
This control's detection is specific to the Cosmos DB and therefore provides minimal overall detection coverage for Valid Accounts resulting in a Minimal score. A relevant alert is "Access from an unusual location to a Cosmos DB account".
References
|
alerts_for_azure_cosmos_db | Alerts for Azure Cosmos DB | detect | minimal | T1078.004 | Cloud Accounts |
Comments
This control triggers an alert when there is a change in the access pattern to an Azure Cosmos account based on access from an unusual geographical location. False positives are fairly likely and misuse from a typical location is not covered, so score is Minimal. Relevant alert is "Access from an unusual location to a Cosmos DB account"
References
|
alerts_for_azure_cosmos_db | Alerts for Azure Cosmos DB | detect | minimal | T1213 | Data from Information Repositories |
Comments
This control triggers an alert when an unusually large amount of data is extracted from/by an account compared to recent activity. False positives are fairly likely and extraction in quantities below the control's threshold is not detected, so score is Minimal. Neither of the sub-techniques are relevant in this context, since they are repository-specific. Relevant alert is "Unusual amount of data extracted from a Cosmos DB account"
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | minimal | T1071 | Application Layer Protocol |
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on block list.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | minimal | T1071.001 | Web Protocols |
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | minimal | T1071.002 | File Transfer Protocols |
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | minimal | T1071.003 | Mail Protocols |
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | minimal | T1071.004 | DNS |
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | partial | T1071.005 | Publish/Subscribe Protocols |
Comments
This control can identify connections to known malicious sites.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | partial | T1133 | External Remote Services |
Comments
This control can potentially identify malicious use of remote services via alerts such as "Suspicious incoming RDP network activity" and "Suspicious Incoming SSH network activity".
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | significant | T1110 | Brute Force |
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline. It provides significant detection from most of this technique's sub-techniques and procedure examples resulting in an overall score of Significant.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | significant | T1110.001 | Password Guessing |
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | significant | T1110.003 | Password Spraying |
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | significant | T1110.004 | Credential Stuffing |
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
References
|
alerts_for_dns | Alerts for DNS | detect | minimal | T1048 | Exfiltration Over Alternative Protocol |
Comments
Can detect anomalous use of DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
|
alerts_for_dns | Alerts for DNS | detect | minimal | T1071 | Application Layer Protocol |
Comments
Can detect potential DNS protocol misuse/anomalies. Technique coverage is restricted to DNS and therefore results in a Minimal score.
References
|
alerts_for_dns | Alerts for DNS | detect | minimal | T1090 | Proxy |
Comments
Can detect DNS activity to anonymity networks e.g. TOR. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
|
alerts_for_dns | Alerts for DNS | detect | minimal | T1572 | Protocol Tunneling |
Comments
Can identify protocol misuse/anomalies in DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
|
alerts_for_dns | Alerts for DNS | detect | partial | T1568 | Dynamic Resolution |
Comments
Can identify "random" DNS occurences which can be associated with domain generation algorithm or Fast Flux sub-techniques. Partial for coverage and accuracy (potential for false positive/benign).
References
|
alerts_for_dns | Alerts for DNS | detect | partial | T1568.001 | Fast Flux DNS |
Comments
Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
References
|
alerts_for_dns | Alerts for DNS | detect | partial | T1568.002 | Domain Generation Algorithms |
Comments
Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
References
|
alerts_for_dns | Alerts for DNS | detect | significant | T1071.004 | DNS |
Comments
Can alert on anomalies and misuse of the DNS protocol.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1021 | Remote Services |
Comments
This control is only relevant for Linux environments. Among the sub-techinques that are relevant for Linux, this control may only alert on SSH.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1027 | Obfuscated Files or Information |
Comments
This control only provides detection coverage for the Compile After Delivery sub-technique while not providing detection for all other sub-techniques relevant to the Linux platform or most of its procedure examples. As a result of this minimal coverage, the overall score is assessed as Minimal.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1027.004 | Compile After Delivery |
Comments
This control may alert on suspicious compilation. No documentation is provided on the logic for determining a suspicious compilation event.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1059 | Command and Scripting Interpreter |
Comments
This control may alert on suspicious Unix shell and PHP execution. Mismatched script extensions may also generate alerts of suspicious activity. Only one of the technique's sub-techniques is covered, resulting in a score of Minimal.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on suspicious arguments used to exploit Xorg vulnerabilities for privilege escalation.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1098 | Account Manipulation |
Comments
This control provides partial detection for only one of this technique's sub-techniques and does not cover most of its procedure examples, resulting in a score of Minimal.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1136 | Create Account |
Comments
This control is only relevant for Linux endpoints, and it provides partial coverage for the only sub-technique relevant on Linux endpoints, Local Account.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1505 | Server Software Component |
Comments
This control provides coverage for the only sub-technique this control is relevant for, Web Shell, but that coverage is Minimal.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1505.003 | Web Shell |
Comments
This control may alert on usage of web shells. No documentation is provided on logic for this detection.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1547 | Boot or Logon Autostart Execution |
Comments
This control is only relevant for Linux endpoint machines and the only sub-technique relevant for Linux is Kernel Modules and Extensions.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1562 | Impair Defenses |
Comments
This control only provides coverage for a miniority of the sub-techniques under this technique and provides no coverage for other relevant sub-techniques, such as Impair Command History Logging or Disable or Modify Tools, resulting in a score of Minimal.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1562.006 | Indicator Blocking |
Comments
This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1564 | Hide Artifacts |
Comments
This control only provides coverage for a minority of this technique's relevant sub-techniques, resulting in a score of Minimal.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1564.001 | Hidden Files and Directories |
Comments
This control may alert on the execution of hidden files. Since this control is only triggered on execution, it may not fire on a variety of hidden files or directories that are being utilized for malicious purposes.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1003 | OS Credential Dumping |
Comments
This control is only relevant for Linux environments, and provides partial coverage for one of the technique's two Linux-relevant sub-techniques.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1003.008 | /etc/passwd and /etc/shadow |
Comments
This control may alert on suspicious access to encrypted user passwords. The documentation does not reference "/etc/passwd" and "/etc/shadow" directly nor does it describe the logic in determining suspicious access.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1021.004 | SSH |
Comments
This control may alerts on SSH brute force attempts, addition of new SSH keys, and usage of a SSH server within a container. Alerts may not be generated by usage of existing SSH keys by malicious actors for lateral movement.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1021.007 | Cloud Services |
Comments
This control can detect abuse of remote services.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1021.008 | Direct Cloud VM Connections |
Comments
This control can detect direct cloud VM connections.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.008 | Stripped Payloads |
Comments
This control can detect stripped payloads.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.009 | Embedded Payloads |
Comments
This control can detect embedded payloads.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.010 | Command Obfuscation |
Comments
This control can detect command obsfucation attacks.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.013 | Encrypted/Encoded File |
Comments
This control can detect obsfucation via encrypted/encoded files.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.014 | Polymorphic Code |
Comments
This control can detect obsfucation via polymorphic code.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1036.008 | Masquerade File Type |
Comments
This control can detect if files are created or edited where the header and extension do not match.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1059.004 | Unix Shell |
Comments
This control may alert on suspicious commandline activity. Alerts may be generated on possible detection of shellcode usage on the commandline, based on arguments, location, user, etc.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1070 | Indicator Removal |
Comments
This control is only relevant for Linux environments and provides partial coverage for multiple Linux-relevant sub-techniques.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1070.002 | Clear Linux or Mac System Logs |
Comments
This control may alert on possible log tampering activity, including deletion of logs. No documentation is provided on which log sources are targeted by this control.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1070.003 | Clear Command History |
Comments
This control may alert on clearing of the command history file. Documentation is not provided on the logic for detecting when the command history is cleared but on Linux machines the location of the history file tends not to change from the default.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1098.004 | SSH Authorized Keys |
Comments
This control may alert on addition of new SSH keys to the authorized key file and unusual process access of the authorized key file.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1110 | Brute Force |
Comments
This control provides partial coverage for most of this technique's sub-techniques and procedures.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1110.001 | Password Guessing |
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1110.003 | Password Spraying |
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1110.004 | Credential Stuffing |
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1113 | Screen Capture |
Comments
This control may alert on usage of a screenshot tool. Documentation is not provided on the logic for determining a screenshot tool.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1136.001 | Local Account |
Comments
This control may alert on usage of the useradd command to create new users and the creation of local user accounts with suspicious similarity to other account names.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1525 | Implant Internal Image |
Comments
This control may alert on suspicious container images running mining software or SSH servers. Privileged Docker containers and privileged commands running within containers may also be detected. These alerts are only generated on containers in Linux endpoint machines and not for containers running from Azure Docker deployment.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1547.006 | Kernel Modules and Extensions |
Comments
This control may alert on a suspicious shared object file being loaded as a kernel module. No documentation is provided on the logic but kernel module loading is a relatively rare event and can only be done with a small set of commands.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1547.013 | XDG Autostart Entries |
Comments
This control can detect command execution associated with xdg modification.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1555.002 | Securityd Memory |
Comments
This control can detect command execution associated with this technique.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1555.003 | Credentials from Web Browsers |
Comments
This control can detect command execution associated with this technique.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1555.005 | Password Managers |
Comments
This control can detect command execution associated with this technique.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1562.004 | Disable or Modify System Firewall |
Comments
This control may alert on manipulation of the on-host firewall. Firewall rules should not be changed often in a standard environment and such an event can provide a high fidelity alert.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1562.012 | Disable or Modify Linux Audit System |
Comments
This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1564.006 | Run Virtual Instance |
Comments
This control may alert on containers using privileged commands, running SSH servers, or running mining software.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1003 | OS Credential Dumping |
Comments
This control provides detection for a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal. Furthermore, its detection capability relies on detecting the usage of specific tools (e.g. sqldumper.exe) further adversely impacting its score.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1003.004 | LSA Secrets |
Comments
This control may detect when the registry is modified to allow logon credentials to be stored in clear text in LSA memory. This change allows a threat actor to gain plain text credentials from the host machine. The following alerts may be generated: "Detected enabling of the WDigest UseLogonCredential registry key".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1027 | Obfuscated Files or Information |
Comments
This control may detect usage of VBScript.Encode and base-64 encoding to obfuscate malicious commands and scripts. The following alerts may be generated: "Detected suspicious execution of VBScript.Encode command", "Detected encoded executable in command line data".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control's detection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This control may detect suspicious use of the Telegram tool for transferring malicious binaries across hosts. The following alerts may be generated: "Detected potentially suspicious use of Telegram tool".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1059 | Command and Scripting Interpreter |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1070 | Indicator Removal |
Comments
This control's detection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1082 | System Information Discovery |
Comments
This control may detect local reconnaissance activity specific to using the systeminfo commands. The following alerts may be generated: "Detected possible local reconnaissance activity".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1136 | Create Account |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1202 | Indirect Command Execution |
Comments
This control may detect suspicious use of Pcalua.exe to launch executable code. There are other methods of indirect command execution that this control may not detect. The following alerts may be generated: "Detected suspicious use of Pcalua.exe to launch executable code".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1218 | System Binary Proxy Execution |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1222 | File and Directory Permissions Modification |
Comments
This control provides minimal detection for some of this technique's sub-techniques resulting in an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1222.001 | Windows File and Directory Permissions Modification |
Comments
This control may detect the usage of cacls.exe to modify file and directory permissions. The following alerts may be generated: "Detected suspicious use of Cacls to lower the security state of the system".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1489 | Service Stop |
Comments
This control may detect when critical services have been disabled through the usage of specifically net.exe. The following alerts may be generated: "Detected the disabling of critical services".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1543 | Create or Modify System Process |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1546 | Event Triggered Execution |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1547 | Boot or Logon Autostart Execution |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1548 | Abuse Elevation Control Mechanism |
Comments
The only sub-technique scored (Bypass User Account Control) is the only one relevant to Windows.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1548.002 | Bypass User Account Control |
Comments
This control may detect when User Account Control is bypassed by manipulating the Windows registry. There may be other methods to Bypass User Account Control which limits the score to Minimal. The following alerts may be generated: "Detected change to a registry key that can be abused to bypass UAC"
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1558 | Steal or Forge Kerberos Tickets |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1562 | Impair Defenses |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1564 | Hide Artifacts |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1027.008 | Stripped Payloads |
Comments
This control can detect stripped payloads.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1027.009 | Embedded Payloads |
Comments
This control can detect embedded payloads.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1027.010 | Command Obfuscation |
Comments
This control can detect command obsfucation attacks.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1027.013 | Encrypted/Encoded File |
Comments
This control can detect obsfucation via encrypted/encoded files.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1027.014 | Polymorphic Code |
Comments
This control can detect obsfucation via polymorphic code.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1036.008 | Masquerade File Type |
Comments
This control can detect if commands are executed that are otherwise non-executable file types.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1053.007 | Container Orchestration Job |
Comments
This control can detect when commands associated with this technique are executed.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055 | Process Injection |
Comments
This control's Fileless Attack Detection covers all relevant sub-techniques. Detection is periodic at an unknown rate.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.001 | Dynamic-link Library Injection |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.002 | Portable Executable Injection |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.003 | Thread Execution Hijacking |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.004 | Asynchronous Procedure Call |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.005 | Thread Local Storage |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.011 | Extra Window Memory Injection |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.012 | Process Hollowing |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.013 | Process Doppelgänging |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1059.009 | Cloud API |
Comments
This control can detect supicious usage of commands and scripts.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1059.010 | AutoHotKey & AutoIT |
Comments
This control can detect supicious usage of commands and scripts.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1059.011 | Lua |
Comments
This control can detect supicious usage of commands and scripts.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1068 | Exploitation for Privilege Escalation |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1070.001 | Clear Windows Event Logs |
Comments
This control may detect when an event log has been cleared or IIS logs have been deleted. The following alerts may be generated: "Detected actions indicative of disabling and deleting IIS log files", "An event log was cleared".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1070.004 | File Deletion |
Comments
This control may detect suspicious file cleanup commands and shadow copy deletion activity. The following alerts may be generated: "Detected suspicious file cleanup commands", "Suspicious Volume Shadow Copy Activity".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1070.007 | Clear Network Connection History and Configurations |
Comments
This control can monitor for executed commands associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1070.008 | Clear Mailbox Data |
Comments
This control can monitor for executed commands associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1070.009 | Clear Persistence |
Comments
This control can monitor for executed commands associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1078 | Valid Accounts |
Comments
This control is able to detect some of this technique's sub-techniques resulting in a Partial Coverage score and consequently an overall score of Partial.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1078.001 | Default Accounts |
Comments
This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1078.003 | Local Accounts |
Comments
This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1087 | Account Discovery |
Comments
This control provides partial detection for some of this technique's sub-techniques and procedure examples resulting in a Partial Coverage score and consequently an overall score of Partial.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1087.001 | Local Account |
Comments
This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: "Multiple Domain Accounts Queried", "Local Administrators group members were enumerated".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1087.002 | Domain Account |
Comments
This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: "Multiple Domain Accounts Queried", "Local Administrators group members were enumerated".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1105 | Ingress Tool Transfer |
Comments
This control may detect usage of malware droppers and creation of suspicious files on the host machine. The following alerts may be generated: "Detected possible execution of malware dropper", "Detected suspicious file creation".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1110 | Brute Force |
Comments
This control provides detection for some of this technique's sub-techniques and procedure examples resulting in a Partial Coverage score and consequently an overall score of Partial.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1112 | Modify Registry |
Comments
This control may detect several methods used to modify the registry for purposes of persistence, privilege elevation, and execution. The following alerts may be generated: "Detected change to a registry key that can be abused to bypass UAC", "Detected enabling of the WDigest UseLogonCredential registry key", "Detected suppression of legal notice displayed to users at logon", "Suspicious WindowPosition registry value detected", "Windows registry persistence method detected".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1134 | Access Token Manipulation |
Comments
This control can detect when commands associated with this technique are executed, such as runas.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1136.001 | Local Account |
Comments
This control may detect when an account is created with an account name that closely resembles a standard Windows account or group name. This may be an account created by an attacker to blend into the environment. The following alerts may be generated: "Suspicious Account Creation Detected".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1140 | Deobfuscate/Decode Files or Information |
Comments
This control may detect decoding of suspicious files by certutil.exe and may detect the presence of various encoding schemes to obfuscate malicious scripts and commandline arguments. The following alerts may be generated: "Suspicious download using Certutil detected", "Suspicious download using Certutil detected [seen multiple times]", "Detected decoding of an executable using built-in certutil.exe tool".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1189 | Drive-by Compromise |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1190 | Exploit Public-Facing Application |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1203 | Exploitation for Client Execution |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1204 | User Execution |
Comments
This control provides detection for one of the two sub-techniques of this technique, Malicious File, resulting in a Partial Coverage score and consequently an overall score of Partial.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1204.002 | Malicious File |
Comments
This control may detect the usage of a malware dropper and other indicators of a malicious file being executed by the user. The following alerts may be generated: "Detected possible execution of keygen executable", "Detected possible execution of malware dropper", "Detected suspicious file creation".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1204.003 | Malicious Image |
Comments
This capability can detect when commands are executed that are associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1210 | Exploitation of Remote Services |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1211 | Exploitation for Defense Evasion |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1212 | Exploitation for Credential Access |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1218.005 | Mshta |
Comments
This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: "Detected suspicious execution via rundll32.exe", "Detected suspicious combination of HTA and PowerShell".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1218.011 | Rundll32 |
Comments
This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: "Detected suspicious execution via rundll32.exe", "Detected suspicious combination of HTA and PowerShell".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1218.013 | Mavinject |
Comments
This control may detect usage of the argument INJECTRUNNING which is required for mavinject.exe.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1218.014 | MMC |
Comments
This control may detect creation and usage of non-microsoft .msc files.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1218.015 | Electron Applications |
Comments
This control may detect commands invoking teams.exe or chrome.exe and analyze whether they are being used to execute malicious or abnormal content.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1505.004 | IIS Components |
Comments
This control can detect when commands associated with installing IIS web servers are executed, such as AppCmd.exe.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1505.005 | Terminal Services DLL |
Comments
This control can detect when commands associated with this technique are executed, such as reg.exe.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1543.003 | Windows Service |
Comments
This control may detect when the tscon.exe binary is installed as a service to exploit RDP sessions or when a rare service group is executed under SVCHOST. The following alerts may be generated: "Suspect service installation".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1543.005 | Container Service |
Comments
This control can detect when commands associated with container services are executed, such as docker or podman.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1546.002 | Screensaver |
Comments
This control may detect when a suspicious screensaver process is executed, based on the location of the .scr file. Because this detection is based solely on the location of the file, it has been scored as Partial. The following alerts may be generated: "Suspicious Screensaver process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1546.008 | Accessibility Features |
Comments
This control may detect when the binary for the sticky keys utility has been replaced, possibly to gain persistence or execution. The following alerts may be generated: "Sticky keys attack detected".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1547.001 | Registry Run Keys / Startup Folder |
Comments
This control may detect when the Registry is leveraged to gain persistence. The following alerts may be generated: "Windows registry persistence method detected".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1552.001 | Credentials In Files |
Comments
This control can detect when commands associated with searching for passwords are executed.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1553.006 | Code Signing Policy Modification |
Comments
This control can be used to monitor for the execution of commands that could modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1555.003 | Credentials from Web Browsers |
Comments
This control can detect command execution associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1555.004 | Windows Credential Manager |
Comments
This control can detect command execution associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1555.005 | Password Managers |
Comments
This control can detect command execution associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1556.005 | Reversible Encryption |
Comments
This control can monitor for command execution related to reversible encryption such as -AllowReversiblePasswordEncryption $true.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1558.001 | Golden Ticket |
Comments
This control may detect commandline parameters consistent with a Kerberos Golden Ticket attack. The following alerts may be generated: "Suspected Kerberos Golden Ticket attack parameters observed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1562.001 | Disable or Modify Tools |
Comments
This control may detect when critical services have been disabled, such as Windows Security Center. This control may also detect when IIS logging has been disabled. The following alerts may be generated: "Detected the disabling of critical services", "Detected actions indicative of disabling and deleting IIS log files".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1562.004 | Disable or Modify System Firewall |
Comments
This control may detect modification of the Windows firewall through use of netsh.exe or using a method that matches a known threat actor. The following alerts may be generated: "Malicious firewall rule created by ZINC server implant [seen multiple times]", "Detected suspicious new firewall rule".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1562.009 | Safe Mode Boot |
Comments
This control may detect executed commands indicative of changes to boot settings such as bcdedit.exe and bootcfg.exe
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1562.010 | Downgrade Attack |
Comments
This control may detect executed commands indicative of indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2).
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1563 | Remote Service Session Hijacking |
Comments
This control provides partial detection for some of this technique's sub-techniques resulting in a Partial Coverage score and consequently an overall score of Partial.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1563.002 | RDP Hijacking |
Comments
This control may detect RDP hijacking through use of the tscon.exe binary. The following alerts may be generated: "Suspect integrity level indicative of RDP hijacking", "Suspect service installation".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1564.003 | Hidden Window |
Comments
This control may detect usage of the WindowPosition Registry value to hide application windows in non-visible sections of the desktop. The following alerts may be generated: "Suspicious WindowPosition registry value detected".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1564.008 | Email Hiding Rules |
Comments
This control can detect when commands are run on VMs that can indicate creation or modification of email rules such as New-InboxRule, Set-InboxRule, New-TransportRule, and Set-TransportRule.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1564.009 | Resource Forking |
Comments
This control can detect when commands are run related to resource forking.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1564.011 | Ignore Process Interrupts |
Comments
This control can detect when commands are run related to process interrupts such as nohup.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1567.004 | Exfiltration Over Webhook |
Comments
This control can detect commands on VMs indicative of exfiltration over webhook.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1574.013 | KernelCallbackTable |
Comments
This control can detect windows API calls on VMs indicative of Hijacking Execution Flow via KernelCallBack table such as WriteProcessMemory() and NtQueryInformationProcess().
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1612 | Build Image on Host |
Comments
This capability can detect execution of commands related to container creation.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1614 | System Location Discovery |
Comments
This capability can detect if commands associated with this technique such as GetLocaleInfoW are executed.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1614.001 | System Language Discovery |
Comments
This capability can detect if commands associated with this technique are executed.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1622 | Debugger Evasion |
Comments
This capability can detect system processes that indicate debugger evasion.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1652 | Device Driver Discovery |
Comments
This capability can detect if commands associated with this technique are executed.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1654 | Log Enumeration |
Comments
This capability can detect if commands associated with log enumeration (such as wevutil.exe on Windows and CollectGuestLogs.exe on Azure hosted VMs) are executed.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | significant | T1059.001 | PowerShell |
Comments
This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: "Detected anomalous mix of upper and lower case characters in command-line", "Detected encoded executable in command line data", "Detected obfuscated command line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious commandline arguments", "Detected suspicious commandline used to start all executables in a directory", "Detected suspicious credentials in commandline", "Dynamic PS script construction", "Suspicious PowerShell Activity Detected", "Suspicious PowerShell cmdlets executed", "Suspicious command execution".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | significant | T1059.003 | Windows Command Shell |
Comments
This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: "Detected anomalous mix of upper and lower case characters in command-line", "Detected encoded executable in command line data", "Detected obfuscated command line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious commandline arguments", "Detected suspicious commandline used to start all executables in a directory", "Detected suspicious credentials in commandline", "Dynamic PS script construction", "Suspicious PowerShell Activity Detected", "Suspicious PowerShell cmdlets executed", "Suspicious command execution".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | significant | T1110.001 | Password Guessing |
Comments
This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | significant | T1110.003 | Password Spraying |
Comments
This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | significant | T1110.004 | Credential Stuffing |
Comments
This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".
References
|
azure_backup | Azure Backup | respond | partial | T1561.002 | Disk Structure Wipe |
Comments
Allows for recovery of disk content, though Disk structure wipes require additional procedures for recovery.
References
|
azure_backup | Azure Backup | respond | significant | T1485 | Data Destruction |
Comments
Data backups provide a significant response to data destruction by enabling the restoration of data from backup.
References
|
azure_backup | Azure Backup | respond | significant | T1485.001 | Lifecycle-Triggered Deletion |
Comments
Data backups provide a significant response to data destruction by enabling the restoration of data from backup.
References
|
azure_backup | Azure Backup | respond | significant | T1486 | Data Encrypted for Impact |
Comments
Data backups provide a significant response to data encryption/ransomware by enabling the restoration of data from backup.
References
|
azure_backup | Azure Backup | respond | significant | T1491 | Defacement |
Comments
Data backups provide a significant response to data defacement attacks by enabling the restoration of data from backup.
References
|
azure_backup | Azure Backup | respond | significant | T1491.001 | Internal Defacement |
Comments
Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.
References
|
azure_backup | Azure Backup | respond | significant | T1491.002 | External Defacement |
Comments
Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.
References
|
azure_backup | Azure Backup | respond | significant | T1561 | Disk Wipe |
Comments
Data backups provide a significant response to disk wipe attacks by enabling the restoration of data from backup.
References
|
azure_backup | Azure Backup | respond | significant | T1561.001 | Disk Content Wipe |
Comments
Data backups provide a significant response to disk content wipe attacks by enabling the restoration of data from backup.
References
|
azure_ddos_protection | Azure DDoS Protection | protect | significant | T1498 | Network Denial of Service |
Comments
Designed to address multiple DDOS techniques including volumetric attacks.
References
|
azure_ddos_protection | Azure DDoS Protection | protect | significant | T1498.001 | Direct Network Flood |
Comments
This control can protect against network denial of service attacks.
References
|
azure_ddos_protection | Azure DDoS Protection | protect | significant | T1498.002 | Reflection Amplification |
Comments
This control can protect against network denial of service attacks.
References
|
azure_ddos_protection | Azure DDoS Protection | protect | significant | T1499 | Endpoint Denial of Service |
Comments
Protects against volumetric and protocol DOS, though not application.
References
|
azure_ddos_protection | Azure DDoS Protection | protect | significant | T1499.001 | OS Exhaustion Flood |
Comments
This control can protect against endpoint denial of service attacks.
References
|
azure_ddos_protection | Azure DDoS Protection | protect | significant | T1499.002 | Service Exhaustion Flood |
Comments
This control can protect against endpoint denial of service attacks.
References
|
azure_ddos_protection | Azure DDoS Protection | protect | significant | T1499.003 | Application Exhaustion Flood |
Comments
This control can protect against endpoint denial of service attacks.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | protect | minimal | T1552 | Unsecured Credentials |
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | protect | partial | T1553 | Subvert Trust Controls |
Comments
Provides protection against sub-techniques involved with stealing credentials / certificates / keys from the organization.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | protect | partial | T1553.002 | Code Signing |
Comments
Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | protect | partial | T1553.004 | Install Root Certificate |
Comments
Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | protect | partial | T1588 | Obtain Capabilities |
Comments
Provides protection against sub-techniques involved with stealing credentials / certificates / keys from the organization.
References
|