Azure

This control provides partial detection for some of this technique's sub-techniques and procedure examples resulting in an overall Partial detection score.

This control provides a response capability that accompanies its detection capability that can contain and eradicate the impact of this technique. Because this capability varies between containment (federated accounts) and eradication (cloud accounts) and is only able to respond to some of this technique's sub-techniques, it has been scored as Partial.

This control provides risk detections that can be used to detect suspicious uses of valid accounts, e.g.: Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc. Microsoft utilizes machine learning and heuristic systems to reduce the false positive rate but there will be false positives. The temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day).

Response Type: Eradication Supports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies.

When Azure Active Directory (AAD) Federation is configured for a tenant, an adversary that compromises a domain credential can use it to access (Azure) cloud resources. Identity Protection supports applying its risk detections (e.g.: Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc.) to federated identities thereby providing detection mitigation for this risk. Because this detection is specific to an adversary utilizing valid domain credentials to access cloud resources and does not mitigate the usage of valid domain credentials to access on-premise resources, this detection has been scored as Partial. The temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day).

Response Type: Containment Supports risk detection responses such as blocking a user's access and enforcing MFA. These responses contain the impact of this sub-technique but do not eradicate it (by forcing a password reset).

This control can be effective at detecting forged web credentials because it uses environmental properties (e.g. IP address, device info, etc.) to detect risky users and sign-ins even when valid credentials are utilized. It provides partial coverage of this technique's sub-techniques and therefore has been assessed a Partial score.

Provides Significant response capabilities for one of this technique's sub-techniques (SAML tokens).

This control supports detecting risky sign-ins and users that involve federated users and therefore can potentially alert on this activity. Not all alert types for this control support federated accounts therefore the detection coverage for this technique is partial.

Response Type: Eradication Supports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies.

This control provides Minimal detection for one of this technique's sub-techniques while not providing any detection for the remaining, resulting in a Minimal score.

Provides significant response capabilities for one of this technique's sub-techniques (Password Spray). Due to this capability being specific to one of its sub-techniques and not its remaining sub-techniques, the coverage score is Minimal resulting in an overall Minimal score.

This control specifically provides detection of Password Spray attacks for Azure Active Directory accounts. Microsoft documentation states that this detection is based on a machine learning algorithm that has been improved with the latest improvement yielding a 100 percent increase in recall and 98 percent precision. The temporal factor for this detection is Partial as its detection is described as offline (i.e. detections may not show up in reporting for two to twenty-four hours).

Response Type: Eradication Supports blocking and resetting the user's credentials based on the detection of a risky user/sign-in (such as Password Spray attack) manually and also supports automation via its user and sign-in risk policies.

This control is able to detect some of this technique's sub-techniques resulting in a Partial Coverage score and consequently an overall score of Partial.

This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]".

This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]".

This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.

This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: "Detected anomalous mix of upper and lower case characters in command-line", "Detected encoded executable in command line data", "Detected obfuscated command line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious commandline arguments", "Detected suspicious commandline used to start all executables in a directory", "Detected suspicious credentials in commandline", "Dynamic PS script construction", "Suspicious PowerShell Activity Detected", "Suspicious PowerShell cmdlets executed", "Suspicious command execution".

This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: "Detected anomalous mix of upper and lower case characters in command-line", "Detected encoded executable in command line data", "Detected obfuscated command line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious commandline arguments", "Detected suspicious commandline used to start all executables in a directory", "Detected suspicious credentials in commandline", "Dynamic PS script construction", "Suspicious PowerShell Activity Detected", "Suspicious PowerShell cmdlets executed", "Suspicious command execution".

This control provides detection for one of the two sub-techniques of this technique, Malicious File, resulting in a Partial Coverage score and consequently an overall score of Partial.

This control may detect the usage of a malware dropper and other indicators of a malicious file being executed by the user. The following alerts may be generated: "Detected possible execution of keygen executable", "Detected possible execution of malware dropper", "Detected suspicious file creation".

This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.

This control may detect when the Registry is leveraged to gain persistence. The following alerts may be generated: "Windows registry persistence method detected".

This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.

This control may detect when an account is created with an account name that closely resembles a standard Windows account or group name. This may be an account created by an attacker to blend into the environment. The following alerts may be generated: "Suspicious Account Creation Detected".

This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.

This control may detect when the tscon.exe binary is installed as a service to exploit RDP sessions or when a rare service group is executed under SVCHOST. The following alerts may be generated: "Suspect service installation".

This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.

This control may detect when a suspicious screensaver process is executed, based on the location of the .scr file. Because this detection is based solely on the location of the file, it has been scored as Partial. The following alerts may be generated: "Suspicious Screensaver process executed".

This control may detect when the binary for the sticky keys utility has been replaced, possibly to gain persistence or execution. The following alerts may be generated: "Sticky keys attack detected".

The only sub-technique scored (Bypass User Account Control) is the only one relevant to Windows.

This control may detect when User Account Control is bypassed by manipulating the Windows registry. There may be other methods to Bypass User Account Control which limits the score to Minimal. The following alerts may be generated: "Detected change to a registry key that can be abused to bypass UAC"

This control's Fileless Attack Detection covers all relevant sub-techniques. Detection is periodic at an unknown rate.

Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".

This control may detect decoding of suspicious files by certutil.exe and may detect the presence of various encoding schemes to obfuscate malicious scripts and commandline arguments. The following alerts may be generated: "Suspicious download using Certutil detected", "Suspicious download using Certutil detected [seen multiple times]", "Detected decoding of an executable using built-in certutil.exe tool".

This control provides minimal detection for some of this technique's sub-techniques resulting in an overall score of Minimal.

This control may detect the usage of cacls.exe to modify file and directory permissions. The following alerts may be generated: "Detected suspicious use of Cacls to lower the security state of the system".

This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.

This control may detect usage of the WindowPosition Registry value to hide application windows in non-visible sections of the desktop. The following alerts may be generated: "Suspicious WindowPosition registry value detected".

This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.

This control may detect modification of the Windows firewall through use of netsh.exe or using a method that matches a known threat actor. The following alerts may be generated: "Malicious firewall rule created by ZINC server implant [seen multiple times]", "Detected suspicious new firewall rule".

This control may detect when critical services have been disabled, such as Windows Security Center. This control may also detect when IIS logging has been disabled. The following alerts may be generated: "Detected the disabling of critical services", "Detected actions indicative of disabling and deleting IIS log files".

This control's detection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.

This control may detect suspicious file cleanup commands and shadow copy deletion activity. The following alerts may be generated: "Detected suspicious file cleanup commands", "Suspicious Volume Shadow Copy Activity".

This control may detect when an event log has been cleared or IIS logs have been deleted. The following alerts may be generated: "Detected actions indicative of disabling and deleting IIS log files", "An event log was cleared".

This control may detect several methods used to modify the registry for purposes of persistence, privilege elevation, and execution. The following alerts may be generated: "Detected change to a registry key that can be abused to bypass UAC", "Detected enabling of the WDigest UseLogonCredential registry key", "Detected suppression of legal notice displayed to users at logon", "Suspicious WindowPosition registry value detected", "Windows registry persistence method detected".

This control may detect usage of VBScript.Encode and base-64 encoding to obfuscate malicious commands and scripts. The following alerts may be generated: "Detected suspicious execution of VBScript.Encode command", "Detected encoded executable in command line data".

This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.

This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: "Detected suspicious execution via rundll32.exe", "Detected suspicious combination of HTA and PowerShell".

This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: "Detected suspicious execution via rundll32.exe", "Detected suspicious combination of HTA and PowerShell".

This control provides detection for some of this technique's sub-techniques and procedure examples resulting in a Partial Coverage score and consequently an overall score of Partial.

This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".

This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".

This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".

This control provides detection for a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal. Furthermore, its detection capability relies on detecting the usage of specific tools (e.g. sqldumper.exe) further adversely impacting its score.

This control may detect when the registry is modified to allow logon credentials to be stored in clear text in LSA memory. This change allows a threat actor to gain plain text credentials from the host machine. The following alerts may be generated: "Detected enabling of the WDigest UseLogonCredential registry key".

This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.

This control may detect commandline parameters consistent with a Kerberos Golden Ticket attack. The following alerts may be generated: "Suspected Kerberos Golden Ticket attack parameters observed".

This control provides partial detection for some of this technique's sub-techniques and procedure examples resulting in a Partial Coverage score and consequently an overall score of Partial.

This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: "Multiple Domain Accounts Queried", "Local Administrators group members were enumerated".

This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: "Multiple Domain Accounts Queried", "Local Administrators group members were enumerated".

This control may detect local reconnaissance activity specific to using the systeminfo commands. The following alerts may be generated: "Detected possible local reconnaissance activity".

This control provides partial detection for some of this technique's sub-techniques resulting in a Partial Coverage score and consequently an overall score of Partial.

This control may detect RDP hijacking through use of the tscon.exe binary. The following alerts may be generated: "Suspect integrity level indicative of RDP hijacking", "Suspect service installation".

This control may detect usage of malware droppers and creation of suspicious files on the host machine. The following alerts may be generated: "Detected possible execution of malware dropper", "Detected suspicious file creation".

This control's detection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.

This control may detect suspicious use of the Telegram tool for transferring malicious binaries across hosts. The following alerts may be generated: "Detected potentially suspicious use of Telegram tool".

This control may detect when critical services have been disabled through the usage of specifically net.exe. The following alerts may be generated: "Detected the disabling of critical services".

This control may detect suspicious use of Pcalua.exe to launch executable code. There are other methods of indirect command execution that this control may not detect. The following alerts may be generated: "Detected suspicious use of Pcalua.exe to launch executable code".

This control's recommendations related to enforcing the usage of the secure versions of the HTTP and FTP protocols (HTTPS and FTPS) can lead to encrypting traffic which reduces the ability for an adversary to gather sensitive data via network sniffing. This also applies to the "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", "Enforce SSL connection should be enabled for MySQL database servers", "Enforce SSL connection should be enabled for PostgreSQL database servers", "Only secure connections to your Redis Cache should be enabled" and "Secure transfer to storage accounts should be enabled" recommendations for their respective protocols. The "Usage of host networking and ports should be restricted" recommendation for Kubernetes clusters can also lead to mitigating this technique. These recommendations are limited to specific technologies on the platform and therefore its coverage score is Minimal.

This control's CORS related recommendations can help lead to hardened web applications. This can reduce the likelihood of an application being exploited to reveal sensitive data that can lead to the compromise of an environment. Likewise this control's recommendations related to keeping Java/PHP up to date for API/Function/Web apps can lead to hardening the public facing content that uses these runtimes. This control's recommendations related to disabling Public network access for Azure databases can lead to reducing the exposure of resources to the public Internet and thereby reduce the attack surface. These recommendations are limited to specific technologies (Java, PHP and CORS, SQL DBs) and therefore provide Minimal coverage leading to a Minimal score.

This control's "Authentication to Linux machines should require SSH keys" recommendation can lead to obviating SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.

This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.

This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.

This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.

This control provides recommendations for enabling Secure Boot of Linux VMs that can mitigate a few of the sub-techniques of this technique. Because this is a recommendation and only limited to a few sub-techniques of this technique, its assessed score is Partial.

This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.

This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.

This control provides recommendations for limiting the CPU and memory resources consumed by a container to minimize resource exhaustion attacks. Because this control only covers one sub-technique of this technique, its score is assessed as Minimal.

This control's "Container CPU and memory limits should be enforced" recommendation can lead to preventing resource exhaustion attacks by recommending enforcing limits for containers to ensure the runtime prevents the container from using more than the configured resource limit. Because this is a recommendation, its score is capped at Partial.

This control's "Container images should be deployed from trusted registries only", "Container registries should not allow unrestricted network access" and "Container registries should use private link" recommendations can lead to ensuring that container images are only loaded from trusted registries thereby mitigating this technique.

This control's "Container with privilege escalation should be avoided", "Least privileged Linux capabilities should be enforced for containers", "Privileged containers should be avoided", "Running containers as root user should be avoided" and "Containers sharing sensitive host namespaces should be avoided" recommendations can make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities. Because this is a recommendation, the assessed score has been capped at Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can prevent modifying the ssh_authorized keys file. Because it is a recommendation and limited to only one sub-technique, its score is Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of a Kubernetes container's file system which can mitigate this technique. Because this recommendation is specific to Kubernetes containers, its score is Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of binaries in Kubernetes containers thereby mitigating this technique. Because this is a recommendation, its score is capped at Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing system files from being modified in Kubernetes containers thereby mitigating this sub-technique since adding an account (on Linux) requires modifying system files. Because this is a recommendation, its score is capped at Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of systemd service files in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of the file system in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modifications to the file system in Kubernetes containers which can mitigate adversaries installing web shells. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the modification of the file system permissions in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate some of the sub-techniques of this technique. Due to its partial coverage and Minimal score assessed for its sub-techniques, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a few of the sub-techniques of this technique. Due to its Minimal coverage, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-techniques of this technique. Due to it being a recommendation and providing minimal coverage, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing this sub-technique which often modifies Pluggable Authentication Modules (PAM) components in the file system. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" and "Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers" recommendations can mitigate this technique. Due to it being a recommendation, its score is capped at Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation and mitigating only one sub-technique, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Likewise this control's recommendations related to using customer-managed keys to encrypt data at rest and enabling transparent data encryption for SQL databases can mitigate this sub-technique by reducing an adversary's ability to perform tailored data modifications. Due to it being a recommendation, its score is capped at Partial.

This control's recommendations about removing deprecated and external accounts with sensitive permissions from your subscription can lead to mitigating the Cloud Accounts sub-technique of this technique. Because this is a recommendation and has low coverage, it is assessed as Minimal.

This control's "Deprecated accounts should be removed from your subscription" and "Deprecated accounts with owner permissions should be removed from your subscription" recommendation can lead to removing accounts that should not be utilized from your subscriptions thereby denying adversaries the usage of these accounts to find ways to access your data without being noticed. Likewise, the recommendations related to External account permissions can also mitigate this sub-technique. Because these are recommendations and only limited to deprecated and external accounts, this is scored as Minimal.

This control's "Management ports should be closed on your virtual machines" recommendation can lead to reducing the attack surface of your Azure VMs by recommending closing management ports. Because this is a recommendation, its score is limited to Partial.

A variety of alerts may be generated by malicious access and enumeration of Azure Storage.

This control provides minimal detection for its procedure examples. Additionally, it is able to detect only one of its sub-techniques (Cloud Accounts) resulting in a Minimal Coverage score and consequently an overall score of Minimal.

This control may generate alerts based on unfamiliar or suspicious IP addresses, TOR exit node, and anonymous access.

This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.

"When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file." This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.

This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.

"When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file." This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.

This control may alert on unusually large amounts of data being extracted from Azure storage and suspicious access to storage accounts. There are no alerts specifically tied to data transfer between cloud accounts but there are several alerts for anomalous storage access and transfer.

This control may generate alerts when there has been an unusual or unexpected delete operation within Azure cloud storage. Alerts may not be generated by disabling of storage backups, versioning, or editing of storage objects.

This control may alert on suspicious Unix shell and PHP execution. Mismatched script extensions may also generate alerts of suspicious activity. Only one of the technique's sub-techniques is covered, resulting in a score of Minimal.

This control may alert on suspicious commandline activity. Alerts may be generated on possible detection of shellcode usage on the commandline, based on arguments, location, user, etc.

This control may alert on suspicious arguments used to exploit Xorg vulnerabilities for privilege escalation.

This control provides partial detection for only one of this technique's sub-techniques and does not cover most of its procedure examples, resulting in a score of Minimal.

This control may alert on addition of new SSH keys to the authorized key file and unusual process access of the authorized key file.

This control is only relevant for Linux endpoint machines and the only sub-technique relevant for Linux is Kernel Modules and Extensions.

This control may alert on a suspicious shared object file being loaded as a kernel module. No documentation is provided on the logic but kernel module loading is a relatively rare event and can only be done with a small set of commands.

This control is only relevant for Linux endpoints, and it provides partial coverage for the only sub-technique relevant on Linux endpoints, Local Account.

This control may alert on usage of the useradd command to create new users and the creation of local user accounts with suspicious similarity to other account names.

This control provides coverage for the only sub-technique this control is relevant for, Web Shell, but that coverage is Minimal.

This control may alert on usage of web shells. No documentation is provided on logic for this detection.

This control only provides coverage for a minority of this technique's relevant sub-techniques, resulting in a score of Minimal.

This control may alert on the execution of hidden files. Since this control is only triggered on execution, it may not fire on a variety of hidden files or directories that are being utilized for malicious purposes.

This control may alert on containers using privileged commands, running SSH servers, or running mining software.

This control only provides coverage for a miniority of the sub-techniques under this technique and provides no coverage for other relevant sub-techniques, such as Impair Command History Logging or Disable or Modify Tools, resulting in a score of Minimal.

This control may alert on manipulation of the on-host firewall. Firewall rules should not be changed often in a standard environment and such an event can provide a high fidelity alert.

This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.

This control is only relevant for Linux environments and provides partial coverage for multiple Linux-relevant sub-techniques.

This control may alert on possible log tampering activity, including deletion of logs. No documentation is provided on which log sources are targeted by this control.

This control may alert on clearing of the command history file. Documentation is not provided on the logic for detecting when the command history is cleared but on Linux machines the location of the history file tends not to change from the default.

This control only provides detection coverage for the Compile After Delivery sub-technique while not providing detection for all other sub-techniques relevant to the Linux platform or most of its procedure examples. As a result of this minimal coverage, the overall score is assessed as Minimal.

This control may alert on suspicious compilation. No documentation is provided on the logic for determining a suspicious compilation event.

This control provides partial coverage for most of this technique's sub-techniques and procedures.

This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.

This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.

This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.

This control is only relevant for Linux environments, and provides partial coverage for one of the technique's two Linux-relevant sub-techniques.

This control may alert on suspicious access to encrypted user passwords. The documentation does not reference "/etc/passwd" and "/etc/shadow" directly nor does it describe the logic in determining suspicious access.

This control is only relevant for Linux environments. Among the sub-techinques that are relevant for Linux, this control may only alert on SSH.

This control may alerts on SSH brute force attempts, addition of new SSH keys, and usage of a SSH server within a container. Alerts may not be generated by usage of existing SSH keys by malicious actors for lateral movement.

This control may alert on suspicious container images running mining software or SSH servers. Privileged Docker containers and privileged commands running within containers may also be detected. These alerts are only generated on containers in Linux endpoint machines and not for containers running from Azure Docker deployment.

This control may alert on usage of a screenshot tool. Documentation is not provided on the logic for determining a screenshot tool.

This control may alert on Windows Defender security features being disabled but does not alert on other security tools or logging being disabled or tampered with. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.

The following alerts are available for Windows Defender security features being disabled but none for third party security tools: "Antimalware broad files exclusion in your virtual machine", "Antimalware disabled and code execution in your virtual machine", "Antimalware disabled in your virtual machine", "Antimalware file exclusion and code execution in your virtual machine", "Antimalware file exclusion in your virtual machine", "Antimalware real-time protection was disabled in your virtual machine", "Antimalware real-time protection was disabled temporarily in your virtual machine", "Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine", "Antimalware temporarily disabled in your virtual machine", "Antimalware unusual file exclusion in your virtual machine".

This control may alert on Cloud Infrastructure Discovery activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".

This control may alert on suspicious management activity based on IP, time, anomalous behaviour, or PowerShell usage. Machine learning algorithms are used to reduce false positives. The following alerts may be generated: "Activity from a risky IP address", "Activity from infrequent country", "Impossible travel activity", "Suspicious management session using PowerShell detected", "Suspicious management session using an inactive account detected", "Suspicious management session using Azure portal detected".

This control may alert on Cloud Service Discovery activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions".

This control may alert on Azure domain cloud groups discovery activity but may not provide alerts for other account types or undocumented exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.

This control may alert on Permission Groups Discovery of Cloud Groups activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".

This control may alert on Azure cloud account discovery activity but may not provide alerts for other account types or undocumented exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.

This control may alert on Account Discovery of Cloud Accounts activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".

This control may alert on credential dumping from Azure Key Vaults, App Services Configurations, and Automation accounts by specific exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score. The following alerts may be generated: "MicroBurst exploitation toolkit used to extract secrets from your Azure key vaults", "MicroBurst exploitation toolkit used to extract keys to your storage accounts".

This control may alert on escalation attempts from Azure AD to Azure accounts by specific exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score. The following alerts may be generated: "PowerZure exploitation toolkit used to elevate access from Azure AD to Azure".

This control can isolate portions of network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate.

This control can be used to limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce MiTM conditions.

This control can limit attackers access to configuration repositories such as SNMP management stations, or to dumps of client configurations from common management ports.

Can limit access to client management interfaces or configuration databases

Can limit access to client management interfaces or configuration databases

Provides protection coverage for only one sub-technique partially (booting from remote devies ala TFTP boot) resulting in an overall score of Minimal.

This control can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.

NSG can minimize alternative protocols allowed to communicate externally.

This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.

This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.

This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.

This control can be used to restrict access to remote services to minimum necessary.

This control provides partial protection for all of its sub-techniques and procedure examples resulting in an overall score of Partial.

This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.

This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.

This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.

This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.

This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.

This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.

This control can be used to limit access to critical network systems such as software deployment tools.

This control can be used to restrict direct access to remote service gateways and concentrators that typically accompany external remote services. This can be circumvented though if an adversary is able to compromise a trusted host and use it to access the external remote service. This results in an overall partial (coverage) score.

This control can be used to isolate sensitive domains to limit discovery.

This control can be used to restrict access to trusted networks.

This control can be used to restrict access to trusted networks and protocols.

This control can restrict traffic to standard ports and protocols.

This control provides partial protection for a majority of this control's sub-techinques and procedure examples resulting in overall score of Partial.

This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.

This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.

This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.

This control can be used to limit traffic between systems and enclaves to minimum necessary for example via a zero-trust strategy.

This control can be used to restrict access to endpoints and thereby mitigate low-end network DOS attacks.

This control can restrict ports and inter-system / inter-enclave connections as described by the Proxy related sub-techniques although it doesn't provide protection for domain-fronting. It furthermore provides partial protection of this technique's procedure examples resulting in an overall Partial score.

This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.

This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.

This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.

This control can be used to restrict network communications to protect sensitive enclaves that may mitigate some of the procedure examples of this technique.

This control provides partial protection for this technique's sub-techniques and procedure examples resulting in an overall Partial score. Other variations that trigger a special response, such as executing a malicous task are not mitigated by this control.

This control can be used to implement whitelist based network rules that can mitigate variations of this sub-techniques that result in opening closed ports for communication. Because this control is able to drop traffic before reaching a compromised host, it can effectively mitigate this port knocking sub-technique.

This control provides partial coverage for all of this technique's sub-techniques and a number of its procedures, resulting in an overall score of Partial.

The Azure Sentinel Hunting "Rare processes run by Service accounts" query can identify potential misuse of default accounts. Because this detection is specific to rare processes its coverage score is Minimal resulting in a Minimal score.

The following Azure Sentinel Hunting queries can identify potential compromise of domain accounts based on access attempts and/or account usage: "Suspicious Windows Login outside normal hours", "User account added or removed from security group by an unauthorized user", "User Account added to Built in Domain Local or Global Group", "User Login IP Address Teleportation", "User made Owner of multiple teams", "Tracking Privileged Account Rare Activity", "New Admin account activity which was not seen historically", "New client running queries", "New users running queries", "Non-owner mailbox login activity", "Powershell or non-browser mailbox login activity", "Rare User Agent strings", "Same IP address with multiple csUserAgent" which may indicate that an account is being used from a new device, "Rare domains seen in Cloud Logs" when accounts from uncommon domains access or attempt to access cloud resources, "Same User - Successful logon for a given App and failure on another App within 1m and low distribution", "Hosts with new logons", "Inactive or new account signins", "Long lookback User Account Created and Deleted within 10mins", "Anomalous Geo Location Logon", and "Anomalous Sign-in Activity". The following Azure Sentinel Analytics queries can identify potential compromise of domain accounts based on access attempts and/or account usage: "Anomalous User Agent connection attempt", "New UserAgent observed in last 24 hours" which may indicate that an account is being used from a new device, "Anomalous sign-in location by user account and authenticating application", "Anomalous login followed by Teams action", "GitHub Signin Burst from Multiple Locations", "Sign-ins from IPs that attempt sign-ins to disabled accounts", "Failed Host logons but success logon to AzureAD", and "Anomalous RDP Login Detections".

The following Azure Sentinel Hunting queries can identify potential compromise of local accounts based on access attempts and/or account usage: "Suspicious Windows Login outside normal hours", "User Login IP Address Teleportation", "User account added or removed from a security group by an unauthorized user", "User Account added to Built in Domain Local or Global Group", "User added to SQL Server SecurityAdmin Group", "User Role altered on SQL Server", "User made Owner of multiple teams", "Tracking Privileged Account Rare Activity", and "Anomalous Login to Devices". The following Azure Sentinel Analytics queries can identify potential compromise of local accounts based on access attempts and/or account usage: "User account enabled and disabled within 10 mins", "Long lookback User Account Created and Deleted within 10mins", "Explicit MFA Deny", "Hosts with new logons", "Inactive or new account signins", "Anomalous SSH Login Detection", and "Anomalous RDP Login Detections".

The following Azure Sentinel Hunting queries can identify potential compromise of cloud accounts: "New Admin account activity which was not seen historically", "New client running queries", "New users running queries", "User returning more data than daily average", "User Login IP Address Teleportation", "Non-owner mailbox login activity", "Powershell or non-browser mailbox login activity", "Rare User Agent strings" and "Same IP address with multiple csUserAgent" which may indicate that an account is being used from a new device, "Rare domains seen in Cloud Logs", "Same User - Successful logon for a given App and failure on another App within 1m and low distribution", "Anomalous Azure Active Directory Apps based on authentication location", "Anomalous Geo Location Logon", "Anomalous Sign-in Activity", "Azure Active Directory sign-in burst from multiple locations", and "Azure Active Directory signins from new locations". The following Azure Sentinel Analytics queries can identify potential compromise of cloud accounts: "Anomalous User Agent connection attempt" and "New UserAgent observed in last 24 hours", which may indicate that an account is being used from a new device which may belong to an adversary; "Anomalous sign-in location by user account and authenticating application", "GitHub Signin Burst from Multiple Locations", "GitHub Activites from a New Country", and "Sign-ins from IPs that attempt sign-ins to disabled accounts", which may indicate adversary access from atypical locations; "Azure Active Directory PowerShell accessing non-AAD resources", "Anomalous login followed by Teams action", "Login to AWS management console without MFA", and "Azure Active Directory PowerShell accessing non-AAD resources" which may indicate an adversary attempting to use a valid account to access resources from other contexts. The "Correlate Unfamiliar sign-in properties" query can further enhance detection of anomalous activity.

This control provides partial coverage for one of this technique's sub-techniques, and its coverage is more for supply chain concerns of downstream consumers of software developed within the environemnt than the Azure environment itself, resulting in an overall score of Minimal.

The following Azure Sentinel Hunting queries can identify potentially malicious changes to Azure DevOps project resources: "Azure DevOps - Project Visibility changed to public" can identify a specific action that may be an indicator of an attacker modifying the cloud compute infrastructure. "Azure DevOps - Public project created" and "Azure DevOps - Public project enabled by admin" can identify specific instances of potential defense evasion. The following Azure Sentinel Analytics queries can identify potentially malicious changes to Azure DevOps project resources: "AzureDevops Service Connection Abuse" can detect potential malicious behavior associated with use of large number of service connections, "External Upstream Source added to Azure DevOps" identifies a specific behavior that could compromise the DevOps build pipeline, "Azure DevOps Pull Request Policy Bypassing - History" can identify specific potentially malicious behavior that compromises the build process, "Azure DevOps Pipeline modified by a New User" identifies potentially malicious activity that could compromise the DevOps pipeline, "Azure DevOps Administrator Group Monitoring" monitors for specific activity which could compromise the build/release process, "New Agent Added to Pool by New User or a New OS" can detect a suspicious behavior that could potentially compromise DevOps pipeline.

This control includes partial detection coverage for most of this technique's sub-techniques on a periodic basis.

The "Summary of user logons by logon type" Azure Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement. The following Azure Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: "VIP account more than 6 failed logons in 10", "Multiple Failed Logon on SQL Server in Short time Span", "Permutations on logon attempts by UserPrincipalNames indicating potential brute force", "Potential IIS brute force", "Failed attempt to access Azure Portal", "Failed Login Attempt by Expired account", "Failed Logon Attempts on SQL Server", "Failed Logon on SQL Server from Same IPAddress in Short time Span", "Failed service logon attempt by user account with available AuditData", "Login attempt by Blocked MFA user", "Login spike with increase failure rate", "Attempts to sign-in to disabled accounts by IP address", "Attempts to sign-in to disabled accounts by account name", "Brute Force attack against Azure Portal", and "Anomalous Failed Logon" The following Azure Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: "Brute force attack against Azure Portal", "Password spray attack against Azure AD application", "Successful logon from IP and failure from a different IP", "Failed logon attempts in authpriv", "Failed AzureAD logons but success logon to host", "Excessive Windows logon failures", "Failed login attempts to Azure Portal", "Failed logon attempts by valid accounts within 10 mins", "Brute Force Attack against GitHub Account", "Distributed Password cracking attempts in AzureAD", "Potential Password Spray Attack" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, "Attempts to sign in to disabled accounts", "Sign-ins from IPs that attempt sign-ins to disabled accounts", "High count of failed logins by a user", "Hi count of failed attempts same client IP", "SSH - Potential Brute Force", and "SecurityEvent - Multiple authentication failures followed by success".

The "Summary of user logons by logon type" Azure Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement. The following Azure Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: "VIP account more than 6 failed logons in 10", "Multiple Failed Logon on SQL Server in Short time Span", "Permutations on logon attempts by UserPrincipalNames indicating potential brute force", "Potential IIS brute force", "Failed attempt to access Azure Portal", "Failed Login Attempt by Expired account", "Failed Logon Attempts on SQL Server", "Failed Logon on SQL Server from Same IPAddress in Short time Span", "Failed service logon attempt by user account with available AuditData", "Login attempt by Blocked MFA user", "Login spike with increase failure rate", "Attempts to sign-in to disabled accounts by IP address", "Attempts to sign-in to disabled accounts by account name", "Brute Force attack against Azure Portal", and "Anomalous Failed Logon" The following Azure Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: "Brute force attack against Azure Portal", "Password spray attack against Azure AD application", "Successful logon from IP and failure from a different IP", "Failed logon attempts in authpriv", "Failed AzureAD logons but success logon to host", "Excessive Windows logon failures", "Failed login attempts to Azure Portal", "Failed logon attempts by valid accounts within 10 mins", "Brute Force Attack against GitHub Account", "Distributed Password cracking attempts in AzureAD", "Potential Password Spray Attack" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, "Attempts to sign in to disabled accounts", "Sign-ins from IPs that attempt sign-ins to disabled accounts", "High count of failed logins by a user", "Hi count of failed attempts same client IP", "SSH - Potential Brute Force", and "SecurityEvent - Multiple authentication failures followed by success".

The "Summary of user logons by logon type" Azure Sentinel Hunting query compares successful and unsuccessful logon attempts to identify potential lateral movement. The following Azure Sentinel Hunting queries can identify potential attempts at credential brute force based on unsuccessful attempts: "VIP account more than 6 failed logons in 10", "Multiple Failed Logon on SQL Server in Short time Span", "Permutations on logon attempts by UserPrincipalNames indicating potential brute force", "Potential IIS brute force", "Failed attempt to access Azure Portal", "Failed Login Attempt by Expired account", "Failed Logon Attempts on SQL Server", "Failed Logon on SQL Server from Same IPAddress in Short time Span", "Failed service logon attempt by user account with available AuditData", "Login attempt by Blocked MFA user", "Login spike with increase failure rate", "Attempts to sign-in to disabled accounts by IP address", "Attempts to sign-in to disabled accounts by account name", "Brute Force attack against Azure Portal", and "Anomalous Failed Logon" The following Azure Sentinel Analytics queries can identify potential attempts at credential brute force based on unsuccessful attempts: "Brute force attack against Azure Portal", "Password spray attack against Azure AD application", "Successful logon from IP and failure from a different IP", "Failed logon attempts in authpriv", "Failed AzureAD logons but success logon to host", "Excessive Windows logon failures", "Failed login attempts to Azure Portal", "Failed logon attempts by valid accounts within 10 mins", "Brute Force Attack against GitHub Account", "Distributed Password cracking attempts in AzureAD", "Potential Password Spray Attack" based on periodic assessment of Azure Active Directory sign-in events and Okta console logins, "Attempts to sign in to disabled accounts", "Sign-ins from IPs that attempt sign-ins to disabled accounts", "High count of failed logins by a user", "Hi count of failed attempts same client IP", "SSH - Potential Brute Force", and "SecurityEvent - Multiple authentication failures followed by success".

The following Azure Sentinel Hunting queries can identify potentially malicious manipulation of accounts to increase or maintain access: "Azure DevOps - Guest users access enabled", "Azure DevOps - Additional Org Admin added", "Anomalous Activity Role Assignment", "Anomalous Role Assignment", and "Anomalous AAD Account Manipulation", which indicate expansion of accounts' access/privileges; "Bots added to multiple teams" which indicates workspace access granted to automated accounts. The following Azure Sentinel Analytics queries can identify potentially malicious manipulation of accounts to increase or maintain access: "Suspicious granting of permissions to an account" from a previously unobserved IP address, "External user added and removed in short timeframe" for Teams resources, "Account added and removed from privileged group", "User account added to built in domain local or global group", and "New user created and added to the built-in administrator group". "Multiple Password Reset by user" can detect potentially malicious iterative password resets.

The Azure Sentinel Hunting "First access credential added to Application or Service Principal where no credential was present" query can identify potentially malicious changes to Service Principal credentials. The Azure Sentinel Analytics "Credential added after admin consented to Application" and "New access credential added to Application or Service Principal" queries can identify potentially malicious manipulation of additional cloud credentials.

The Azure Sentinel Analytics "Malformed user agent" query can detect potential C2 or C2 agent activity. This control provides minimal to partial coverage for a minority of this technique's sub-techniques and only some of its procedure examples, resulting in an overall score of Minimal.

The following Azure Sentinel Analytics queries can identify potentially malicious use of web protocols: "Powershell Empire cmdlets seen in command line" can identify use of Empire, which can perform command and control over protocols like HTTP and HTTPS. "Request for single resource on domain" can identify patterns that suggest possible command and control beaconing. The coverage for these queries is minimal resulting in an overall Minimal score.

The following Azure Sentinel Hunting queries can identify potentially malicious use of DNS: "RareDNSLookupWithDataTransfer" [sic] can identify data transfer over DNS, though it is contingent on DNS traffic meeting the requirements to be considered rare. "Abnormally Long DNS URI queries" can identify suspicious DNS queries that may be indicative of command and control operations. "DNS - domain anomalous lookup increase", "DNS Full Name anomalous lookup increase", and "DNS lookups for commonly abused TLDs" can identify increases in domain lookups for a client IP and indicate malicious traffic or exfiltration of sensitive data.

This control provides minimal coverage to both of this technique's sub-techniques as well as some of its procedure examples, resulting in an overall score of Minimal. The Azure Sentinel Analytics "Malformed user agent" query can detect potential exfiltration over a web service by malicious code with a hard-coded user agent string, or possibly data encoded via the user agent string.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Azure Sentinel Analytics "SharePointFileOperation via previously unseen IPs" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Azure Sentinel Analytics "SharePointFileOperation via previously unseen IPs" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.

The Azure Sentinel Analytics "Malformed user agent" query can detect hard-coded user-agent strings associated with some vulnerability scanning tools. This control provides partial coverage for only one of this technique's sub-techniques, resulting in an overall score of Minimal.

The Azure Sentinel Analytics "High count of connections by client IP on many ports" query can identify client IP addresses with 30 or more active ports used within a ten minute window, checked at a default frequency of once per hour, which may indicate scanning. Note that false positives are probable based on changes in usage patterns and/or misconfiguration, and this detection only works if scanning is not spread out over a longer timespan.

The Azure Sentinel Hunting "Crypto currency miners EXECVE" query can detect cryptocurrency mining software downloads through EXECVE. The following Azure Sentinel Analytics queries can identify potentiall malicious tool transfer: "Linked Malicious Storage Artifacts" may identify potential adversary tool downloads that are missed by anti-malware. "Powershell Empire cmdlets seen in command line" detects downloads via Empire. "New executable via Office FileUploaded Operations" can identify ingress of malicious code and attacker tools to Office services such as SharePoint and OneDrive, but with potential for high false positive rates from normal user upload activity.

This control provides minimal coverage for a minority of this technique's sub-techniques and does not cover all procedure examples, resulting in an overall score of Minimal.

The following Azure Sentinel Hunting queries can identify potential exfiltration: "Abnormally long DNS URI queries" can identify potential exfiltration via DNS. "Multiple users email forwarded to same destination" and "Office Mail Forwarding - Hunting Version" can detect potential exfiltration via email. The Azure Sentinel Analytics "Multiple users email forwarded to same destination" query can detect potential exfiltration via email. The coverage for these queries is minimal resulting in an overall Minimal score.

The following Azure Sentinel Hunting queries can identify potential resource hijacking based on anomolies in access and usage patterns: "Anomalous Resource Creation and related Network Activity", "Creation of an anomalous number of resources". The following Azure Sentinel Analytis queries can identify potential resource hijacking: "Creation of Expensive Computes in Azure" and "Suspicious number of resource creation or deployed" [sic] can identify suspicious outliers in resource quantities requested. "Suspicious Resource deployment" can identify deployments from new, potentially malicious, users. "Process execution frequency anomaly" can identify execution that may indicate hijacking. "DNS events related to mining pools", can identify potential cryptocurrency mining activity.

This control provides specific minimal coverage for two of this technique's sub-techniques, without additional coverage of its procedure examples, resulting in an overall score of Minimal. The Azure Sentinel Analytics "Azure DevOps Agent Pool Created Then Deleted" query can detect specific suspicious activity for DevOps Agent Pool. This is close to this technique's File Deletion sub-technique, but not a complete match.

The Azure Sentinel Hunting "Security Event Log Cleared" query can detect clearing of the security event logs, though not necessarily clearing of any arbitrary Windows event logs.

The Azure Sentinel Hunting "Windows System Time changed on hosts" query can detect potential timestomping activities. The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which can timestomp files and/or payloads on a target machine to help them blend in.

This control provides minimal coverage for most of this technique's sub-techniques, along with additional mappings for its procedure examples, resulting in an overall score of Minimal. The following Azure Sentinel Hunting queries can identify potentially malicious use of command and scripting interpreters that does not map directly to one/more sub-techniques: "Anomalous Code Execution" can identifyanomalous runCommand operations on virtual machines, "Azure CloudShell Usage" can identify potentially malicious use of CloudShell, "New processes observed in last 24 hours", "Rare processes run by Service accounts", and "Rare Custom Script Extension" can identify execution outliers that may suggest misuse. The following Azure Sentinel Analytics queries can identify potentially malicious use of command and scripting interpreters that does not map directly to one/more sub-techniques: "New CloudShell User" can identify potentially malicious use of CloudShell, "Rare and Potentially high-risk Office operations" can identify specific rare mailbox-related ccount and permission changes via execution.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which leverages PowerShell for the majority of its client-side agent tasks and can conduct PowerShell remoting. The coverage for these queries is minimal (specific to Empire) resulting in an overall Minimal score.

The Azure Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Azure Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious. The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which has modules for executing Windows Command Shell scripts. The Azure Sentinel Analytics "Base64 encoded Windows process command-lines" query can identify Base64 encoded PE files being launched via the command line.

The Azure Sentinel Hunting "Rare process running on a Linux host" query can identify uncommon shell usage that may be malicious.

The Azure Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Azure Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious.

The Azure Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Azure Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious.

The Azure Sentinel Hunting "Cscript script daily summary breakdown" can detect potentially malicious scripting. The Azure Sentinel Hunting "Hosts running a rare process with commandline" query can identify uncommon command shell usage that may be malicious.

This control provides partial detection coverage for only this technique's SharePoint sub-technique. The Azure Sentinel Hunting "Cross workspace query anomaly" query can identify potential adversary information collection (in this case from Azure ML workspaces), but does not map directly to any sub-techniques.

The following Azure Sentinel Hunting queries can identify potentially malicious access to SharePoint: "SharePointFileOperation via clientIP with previously unseen user agents", "SharePointFileOperation via devices with previously unseen user agents", and "SharePointFileOperation via previously unseen IPs". The Azure Sentinel Analytics "SharePointFileOperation via devices with previously unseen user agents" query can identify a high number of upload or download actions by an unknown and possible malicious actor.

The following Azure Sentinel Hunting queries can identify potentially malicious behavior on user accounts: "AD Account Lockout", "Anomalous Password Reset", "SQL User deleted from Database", "User removed from SQL Server Roles", and "User removed from SQL Server SecurityAdmin Group". The Azure Sentinel Analytics "Sensitive Azure Key Vault operations" query can identify attempts to remove account access by deleting keys or entire key vaults.

The Azure Sentinel Hunting "High reverse DNS count by host" and "Squid malformed requests" queries can indicate potentially malicious reconnaissance aimed at detecting network layout and the presence of network security devices. The Azure Sentinel Analytics "Several deny actions registered" query can identify patterns in Azure Firewall incidents, potentially indicating that an adversary is scanning resources on the network, at a default frequency of once per hour. Note that detection only occurs if the firewall prevents the scanning. The Azure Sentinel Analytics "Rare client observed with high reverse DNS lookup count" query can detect when a particular IP address performs an unusually high number of reverse DNS lookups and has not been observed doing so previously. The coverage for these queries is minimal resulting in an overall Minimal score.

This control provides partial coverage for all of this technique's sub-techniques, resulting in an overall score of Partial.

The Azure Sentinel Hunting "New User created on SQL Server" query can detect a specific type of potentially malicious local account creation. The following Azure Sentinel Analytics queries can identify potentially malicious local account creation: "Summary of users created using uncommon/undocumented commandline switches" which can identify use of the net command to create user accounts, "User created by unauthorized user", "User Granted Access and associated audit activity" and "User Granted Access and Grants others Access" which may identify account creation followed by suspicious behavior, "User account created and deleted within 10 mins" which suggests an account may have existed only long enough to fulfill a malicious purpose, and "Powershell Empire cmdlets seen in command line" which can identify use of Empire, including for account creation.

The following Azure Sentinel Analytics queries can identify potentially malicious domain account creation: "Summary of users created using uncommon/undocumented commandline switches" which can identify use of the net command to create user accounts, "User created by unauthorized user", "User Granted Access and associated audit activity" and "User Granted Access and Grants others Access" which may identify account creation followed by suspicious behavior, "User account created and deleted within 10 mins" which suggests an account may have existed only long enough to fulfill a malicious purpose, and "Powershell Empire cmdlets seen in command line" which can identify use of Empire, including for account creation.

The Azure Sentinel Hunting queries can identify potentially malicious cloud account creation: "External user added and removed in short timeframe" and "External user from a new organisation added" can identify the addition of new external Teams user accounts. The following Azure Sentinel Analytics queries can identify potentially malicious cloud account creation: "User Granted Access and created resources" which identifies a newly created user account gaining access and creating resources in Azure, and "New Cloud Shell User".

This control provides minimal coverage for all of this technique's sub-techniques, resulting in an overall score of Minimal.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which has the ability to collect emails on a target system. The coverage for these queries is minimal (specific to Empire) resulting in an overall Minimal score.

The Azure Sentinel Hunting "Suspect Mailbox Export on IIS/OWA" query can identify potential malicious exfiltration hosting via IIS. The Azure Sentinel Hunting "Host Exporting Mailbox and Removing Export" query can identify potential exfiltration of data from Exchange servers. The coverage for these queries is minimal resulting in an overall Minimal score.

The Azure Sentinel Hunting "Mail redirect via ExO transport rule" query can detect potentially malicious email redirection, but is limited to Exchange servers only.

This control provides partial coverage for only one of this technique's sub-techniques, resulting in overall coverage of Minimal.

The Azure Sentinel Hunting "Web shell command alert enrichment", "Web shell Detection", and "Web shell file alert enrichment" queries can identify potentially malicious activity via web shell.

This control provides minimal coverage for one sub-technique of this technique, resulting in an overall coverage score of Minimal.

The following Azure Sentinel Analytics queries can detect potentially malicious usage of asymmetric cryptography channels: "DNS events related to ToR proxies" can identify potential use of Tor, though it provides only minimal coverage because it only covers a set of common domains and is easily bypassed via hardcoded IP addresses, redirection, etc. "Powershell Empire cmdlets seen in command line" can identify use of Empire, which can use TLS to encrypt a command and control channel.

This control provides minimal coverage for one sub-technique of this technique, resulting in an overall coverage score of Minimal.

The Azure Sentinel Analytics "DNS events related to ToR proxies" query can identify potential use of Tor, though it provides only minimal coverage because it only covers a set of common domains and is easily bypassed via hardcoded IP addresses, redirection, etc.

This control provides minimal (mostly) to partial coverage for most of this technique's sub-techniques, resulting in an overall score of Minimal. The Azure Sentinel Hunting "Anomalous Defensive Mechanism Modification" query detects users performing delete operations on security policies, which may indicate an adversary attempting to impair defenses.

The following Azure Sentinel Hunting queries can identify potentially malicious modifications to Sentinel resources: "Azure Sentinel Analytics Rules Administrative Operations", "Azure Sentinel Connectors Administrative Operations", and "Azure Sentinel Workbooks Administrative Operations". The Azure Sentinel Analytics "Starting or Stopping HealthService to Avoid Detection" query can detect potentially malicious disabling of telemetry collection/detection. The coverage for these queries is minimal resulting in an overall Minimal score.

The Azure Sentinel Analytics "Audit policy manipulation using auditpol utility" query can detect potentially malicious to modification and/or disabling of logging via the auditpol utility. The coverage for these queries is minimal (specific to Audit policy) resulting in an overall Minimal score.

The Azure Sentinel Hunting "Azure Sentinel Analytics Rules Administrative Operations" query can identify potential attempts to impair defenses by changing or deleting detection analytics. The Azure Sentinel Analytics "Azure DevOps - Retention Reduced to Zero" query can identify that an adversary is looking to reduce their malicious activity's footprint by preventing retention of artifacts. Control is specific to indicators produced by Azure DevOps. The coverage for these queries is minimal resulting in an overall Minimal score.

The following Azure Sentinel Hunting queries can identify potentially malicious modifications to cloud firewall resources: "Azure Network Security Group NSG Administrative Operations" query can identify potential defensive evasion involving changing or disabling network access rules. "Port opened for an Azure Resource" may indicate an adversary increasing the accessibility of a resource for easier collection/exfiltration. The Azure Sentinel Analytics "Security Service Registry ACL Modification" query can detect attempts to modify registry ACLs, potentially done to evade security solutions.

The Azure Sentinel Analytics "Exchange AuditLog disabled" query can detect potentially malicious disabling of Exchange logs. The Azure Sentinel Analytics "Azure DevOps Audit Stream Disabled" query can identify disabling of Azure DevOps log streaming. The coverage for these queries is minimal (specific to these technologies) resulting in an overall Minimal score.

The following Azure Sentinel Hunting queries can identify potentially malicious automated collection: "Multiple large queries made by user" and "Query data volume anomolies" can identify that automated queries are being used to collect data in bulk. "New ServicePrincipal running queries" can indicate that an application is performing automated collection via queries. The following Azure Sentinel Analytics queries can identify potentially malicious automated collection: "Mass secret retrieval from Azure Key Vault" and "Azure Key Vault access TimeSeries anomaly" can detect a sudden increase in access counts, which may indicate that an adversary is dumping credentials via automated methods. "Users searching for VIP user activity" can identify potentially suspicious Log Analytics queries by users looking for a listing of 'VIP' activity. The coverage for these queries is minimal (applicable to specific technologies) resulting in an overall Minimal score.

The Azure Sentinel Hunting "Multiple Teams deleted by a single user" query can detect when a threshold is met for number of Teams deleted within an hour. Coverage is minimal because the control is limited to a specific resource (teams) and only works when the threshold is met. The Azure Sentinel Analytics "Multiple Teams deleted by a single user" query can detect when a threshold is met for number of Teams deleted within an hour. Coverage is minimal because the control is limited to a specific resource (teams) and only works when the threshold is met.

This control only provides partial coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal.

The Azure Sentinel Hunting "Potential DGA detected" query can detect clients with a high NXDomain count, which might indicate an adversary cycling through possible C2 domains where most C2s are not live. The following Azure Sentinel Analytics queries can identify potential use of domain generation algorithms: "Possible contact with a domain generated by a DGA" and "Potential DGA detected" within DNS.

The Azure Sentinel Hunting "Potential IIS code injection attempt" query can detect some potential injection attacks against public-facing applications. The Azure Sentinel Analytics "A potentially malicious web request was executed against a web server" query can detect a high ratio of blocked requests and unobstructed requests to a Web Application Firewall (WAF) for a given client IP and hostnam. The coverage for these queries is minimal (e.g. IIS) resulting in an overall Minimal score.

This control only provides minimal to partial coverage for a minority of this technique's sub-techniques and does not address all of its procedures, resulting in an overall score of Minimal.

The following Azure Sentinel Analytics queries can identify potentially malicious use of Outlook rules: "Office policy tampering", "Malicious Inbox Rule" which can detect rules intended to delete emails that contain certain keywords (generally meant to warn compromised users about adversary behaviors), and "Mail redirect via ExO transport rule" (potentially to an adversary mailbox configured to collect mail).

The Azure Sentinel Hunting "Previously unseen bot or applicaiton added to Teams" [sic] query can detect the addition of a potentially malicious add-in, but is specific to Microsoft Teams.

The Azure Sentinel Hunting "New PowerShell Scripts encoded on the commandline" query can detect a specific type of obfuscated file. The Azure Sentinel Analytics "Process executed from binary hidden in Base64 encoded file" query can use security event searches to detect decoding by Python, bash/sh, and Ruby. The coverage for these queries is minimal (e.g. base64, PowerShell) resulting in an overall Minimal score.

This control only provides minimal to partial coverage for some this technique's sub-techniques, resulting in an overall score of Minimal.

Azure Sentinel Analytics includes a "Potential Kerberoasting" query. Kerberoasting via Empire can also be detected using the Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect execution of these sub-techniques via Empire, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect execution of these sub-techniques via Empire, but does not address other procedures.

The Azure Sentinel Analytics "Gain Code Execution on ADFS Server via Remote WMI Execution" query can detect use of Windows Managemement Instrumentation on ADFS servers. The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect WMI use via Empire, but does not address other procedures. The coverage for these queries is minimal (specific to ADFS and Empire) resulting in an overall Minimal score.

The Azure Sentinel Analytics "High count of connections by client IP on many ports" query can detect when a given client IP has 30 or more ports used within a 10 minute window, which may indicate malicious scanning. The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect scanning via Empire, but does not address other procedures.

This control provides minimal to partial coverage for some of this technique's sub-techniques, resulting in an overall score of Minimal.

The Azure Sentinel Hunting "anomalous RDP Activity" query can detect potential lateral movement employing RDP. The following Azure Sentinel Analytics queries can identify potentially malicious use of RDP: "Anomalous RDP Login Detections", "Multiple RDP connections from Single Systems", "Rare RDP Connections", and "RDP Nesting".

The Azure Sentinel Hunting "Anomalous Resource Access" query can identify potential lateral movement via use of valid accounts to access network shares (Windows Event 4624:3).

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can utilize Invoke-DCOM to leverage remote COM execution for lateral movement, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which contains modules for executing commands over SSH as well as in-memory VNC agent injection, but does not address other procedures. Azure Sentinel Analytics also provides a "New internet-exposed SSH endpoints" query. The coverage for these queries is minimal resulting in an overall Minimal score.

This control provides a highly specific detection for a misconfiguration that can lead to one of this technique's sub-techniques, ultimately preventing it.

This control provides minimal to partial coverage for a minority of this technique's sub-techniques, resulting in an overall detection score of Minimal.

The Azure Sentinel Analytics "Azure DevOps - Variable Secret Not Secured" query can identify credentials stored in the build process and protect against future credential access by suggesting that they be moved to a secret or stored in KeyVault before they can be accessed by an adversary. The coverage for these queries is minimal resulting in an overall Minimal score.

The Azure Sentinel Hunting "Query looking for secrets" query can identify potentially malicious database requests for secrets like passwords or other credentials. The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use various modules to search for files containing passwords, but does not address other procedures. The coverage for these queries is minimal resulting in an overall Minimal score.

The Azure Sentinel Analytics "ADFS DKM Master Key Export" and "ADFS Key Export (Sysmon)" queries can detect potentially malicious access intended to decrypt access tokens. The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use modules to extract private key and session information, but does not address other procedures. The coverage for these queries is minimal (specific to Empire, ADFS) resulting in an overall Minimal score.

This control detects a highly specific behavior that applies to one sub-technique of this technique.

The Azure Sentinel Analytics "Rare client observed with high reverse DNS lookup count" query can detect if a particular IP is observed performing an unusually high number of reverse DNS lookups and has not been observed doing so previously.

This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes various modules to attempt to bypass UAC for privilege escalation, but does not address other procedures.

This control provides minimal coverage of a minority of this technique's sub-techniques, but does not address other procedures, resulting in an overall score of Minimal. The Azure Sentinel Analytics "Azure DevOps Personal Access Token misuse" query can identify anomalous use of Personal Access Tokens, but does not map directly to any sub-techniques.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.

This control provides specific forms of minimal coverage for half of this technique's sub-techniques, but does not address other procedures, resulting in an overall score of Minimal.

The Azure Sentinel Hunting "Enumeration of users and groups" query can identify potentially malicious account discovery through the use of the net tool. The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can acquire local and domain user account information, but does not address other procedures.

The Azure Sentinel Hunting "Enumeration of users and groups" query can identify potentially malicious account discovery through the use of the net tool. The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can acquire local and domain user account information, but does not address other procedures.

The Azure Sentinel Analytics "Mail.Read Permissions Granted to Application" query can identify applications that may have been abused to gain access to mailboxes.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can ZIP directories on target systems, but does not address other procedures.

This control can identify three of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate SSPs, install malicious SSPs, persist by modifying .lnk files to include backdoors, and modify the registry run keys, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which has the ability to gather browser data including bookmarks and history, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can harvest clipboard data on Windows, but does not address other procedures or platforms.

This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can modify service binaries and restore them to their original states, but does not address other procedures.

This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can extract passwords from common web browsers including Firefox and Chrome, but does not address other procedures.

This control provides minimal to partial coverage of both of this technique's sub-techniques, resulting in an overall score of Partial.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can modify group policy objects to install and execute malicious scheduled tasks, but does not address other procedures.

The Azure Sentinel Analytics "Modified Domain Federation Trust Settings" query can detect potentially malicious changes to domain trust settings.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate domain trusts, but does not address other procedures.

This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can leverage WMI debugging to remotely replace binaries like seth.exe, utilman.exe, and magnify.exe with cmd.exe, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can send data gathered from a target through a command and control channel, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can exploit known system vulnerabilities, but does not explicitly address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes built-in modules for exploiting remote SMB, JBoss, and Jenkins servers, but does not address other procedures. The Azure Sentinel Analytics "Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task" query can detect when an adversary gains execution capability on an ADFS server through SMB and Remote Service or Scheduled Task.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes modules for finding files of interest on hosts and network shares, but does not address other procedures.

This control can identify several of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can discover and exploit DLL hijacking opportunities, path interception opportunities in the PATH environment variable, search order hijacking vulnerabilities, and unquoted path vulnerabilities, but does not address other procedures.

This control can identify two of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes keylogging capabilities for both Windows and Linux and contains modules that leverage API hooking to carry out tasks, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes keylogging capabilities for both Windows and Linux and contains modules that leverage API hooking to carry out tasks, but does not address other procedures.

This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which includes a variety of enumeration modules that have an option to use API calls to carry out tasks, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can perform port scans from an infected host, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can be used to conduct packet capture on target hosts, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can obfuscate commands using Invoke-Obfuscation, but does not address other procedures.

This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which contains an implementation of Mimikatz to gather credentials from memory, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can find information about processes running on local and remote systems, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which contains multiple modules for injecting into processes, but does not address other procedures.

This control provides minimal to partial coverage of a minority of this technique's sub-techniques, resulting in an overall score of Minimal.

The Azure Sentinel Hunting "Editing Linux scheduled tasks through Crontab" query can detect potentially malicious modification of cron jobs.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can interact with the Windows task scheduler, but does not address other procedures.

The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can capture screenshots on Windows, but does not address other procedures.

This control can identify one of this technique's sub-techniques when executed via "Powershell Empire cmdlets seen in command line", but does not address other procedures.