Azure

Microsoft Azure is a widely used cloud computing platform provided by Microsoft. Azure offers a range of security capabilities to protect cloud data, applications, and infrastructure from threats. These mappings connect Azure security capabilities to adversary behaviors in MITRE ATT&CK®, providing Azure users with a comprehensive view of how native Azure security capabilities can be used to prevent, detect, and respond to prevalent cloud threats. As a result, Azure users can evaluate the effectiveness of native security controls against specific ATT&CK techniques and take a threat-informed approach to understand, prioritize, and mitigate adversary behaviors that are most important for their environment.

Azure Versions: 04.26.2025, 06.29.2021 ATT&CK Versions: 16.1, 8.2 ATT&CK Domain: Enterprise

Security Stack Mapping Methodology

SELECT VERSIONS

Azure Version

ATT&CK Version

ATT&CK Domain

Capability Groups

ID Capability Group Name Number of Mappings Number of Capabilities
alerts_for_windows_machines Alerts for Windows Machines 110 1
azure_private_link Azure Private Link 15 1
azure_dedicated_hsm Azure Dedicated HSM 8 1
azure_dns_alias_records Azure DNS Alias Records 2 1
alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB 3 1
file_integrity_monitoring File Integrity Monitoring 79 1
azure_backup Azure Backup 9 1
azure_policy Azure Policy 41 1
azure_vpn_gateway Azure VPN Gateway 7 1
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database 8 1
microsoft_antimalware_for_azure Microsoft Antimalware for Azure 21 1
azure_web_application_firewall Azure Web Application Firewall 12 1
azure_dns_analytics Azure DNS Analytics 10 1
just-in-time_vm_access Just-in-Time VM Access 8 1
azure_firewall Azure Firewall 30 1
alerts_for_dns Alerts for DNS 8 1
azure_key_vault Azure Key Vault 5 1
docker_host_hardening Docker Host Hardening 11 1
alerts_for_azure_network_layer Alerts for Azure Network Layer 11 1
azure_ddos_protection Azure DDoS Protection 7 1
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics 44 1
azure_role_based_access_control Azure Role-Based Access Control 22 1
azure_update_manager Azure Update Manager 14 1
defender_for_storage Microsoft Defender for Cloud: Defender for Storage 9 1
ai_threat_protection Microsoft Defender for Cloud: AI Threat Protection 4 1
defender_for_apis Microsoft Defender for Cloud: Microsoft Defender for APIs 4 1
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service 84 1
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations 46 1
alerts_for_linux_machines Alerts for Linux Machines 45 1
vulnerability_management Microsoft Defender for Cloud: Vulnerability Management 7 1
defender_for_containers Microsoft Defender for Containers 25 1
defender_for_open_source_databases Microsoft Defender for Open-Source Relational Databases 5 1
devops_security Microsoft Defender for Cloud: DevOps Security 9 1
defender_for_key_vault Microsoft Defender for Key Vault 3 1
defender_for_resource_manager Microsoft Defender for Resource Manager 11 1
azure_network_security_groups Azure Network Security Groups 42 1
defender_for_azure_sql_databases Microsoft Defender for Azure SQL Databases 7 1

All Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
defender_for_storage Microsoft Defender for Cloud: Defender for Storage detect significant T1078.004 Cloud Accounts
Comments
This control may generate alerts based on unfamiliar or suspicious IP addresses, TOR exit node, and anonymous access.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage detect significant T1530 Data from Cloud Storage
defender_for_storage Microsoft Defender for Cloud: Defender for Storage respond partial T1105 Ingress Tool Transfer
Comments
When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage respond partial T1080 Taint Shared Content
Comments
When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage detect partial T1537 Transfer Data to Cloud Account
Comments
This control may alert on unusually large amounts of data being extracted from Azure storage and suspicious access to storage accounts. There are no alerts specifically tied to data transfer between cloud accounts but there are several alerts for anomalous storage access and transfer.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage detect partial T1105 Ingress Tool Transfer
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage detect partial T1080 Taint Shared Content
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage detect minimal T1485 Data Destruction
Comments
This control may generate alerts when there has been an unusual or unexpected delete operation within Azure cloud storage. Alerts may not be generated by disabling of storage backups, versioning, or editing of storage objects.
References
defender_for_storage Microsoft Defender for Cloud: Defender for Storage detect minimal T1078 Valid Accounts
Comments
This control provides minimal detection for its procedure examples. Additionally, it is able to detect only one of its sub-techniques (Cloud Accounts) resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1003 OS Credential Dumping
Comments
Most credential dumping operations do not require modifying resources that can be detected by this control (i.e. Registry and File system) and therefore its coverage is minimal.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1098 Account Manipulation
Comments
This control can detect account manipulation.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1137 Office Application Startup
Comments
This control can detect peristence via office application startup.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1546.010 AppInit DLLs
Comments
The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1546.015 Component Object Model Hijacking
Comments
The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1548 Abuse Elevation Control Mechanism
Comments
This control can detect abuse of elevation control mechanisms.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1548.002 Bypass User Account Control
Comments
Some UAC bypass methods rely on modifying specific, user-accessible Registry settings that can be monitored using this control. Overall, there are numerous other bypass methods that do not result in Registry modification that this control will not be effective in detection resulting in a low detection coverage factor.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1562 Impair Defenses
Comments
Due to low detection coverage, this technique is scored as minimal.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1562.001 Disable or Modify Tools
Comments
This control can be used to monitor Registry keys related to security software or event logging processes that can detect when an adversary attempts to disable these tools via modifying or deleting Registry keys. A majority of the cited procedure examples for this sub-technique are related to killing security processes rather than modifying the Registry, and therefore the detection coverage for this control is low.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1562.004 Disable or Modify System Firewall
Comments
There are numerous ways depending on the operating system that these sub-techniques can be accomplished. Monitoring the Windows Registry is one way depending on the procedure chosen to implement the sub-technique and therefore the overall coverage is low.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1562.006 Indicator Blocking
Comments
There are numerous ways depending on the operating system that these sub-techniques can be accomplished. Monitoring the Windows Registry is one way depending on the procedure chosen to implement the sub-technique and therefore the overall coverage is low.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect minimal T1574 Hijack Execution Flow
Comments
This control can detect hijacked execution flow.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1003.001 LSASS Memory
Comments
This control can be used to detect the Windows Security Support Provider (SSP) DLLs variation of this sub-technique by monitoring the Registry keys used to register these DLLs. These keys should change infrequently and therefore false positives should be minimal.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1036.007 Double File Extension
Comments
This control can detect when files with two file extensions are created.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1036.008 Masquerade File Type
Comments
This control can detect if files are created or edited where the header and extension do not match.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1037 Boot or Logon Initialization Scripts
Comments
This control can detect abuse of boot or logon initialization scripts.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1037.001 Logon Script (Windows)
Comments
This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1037.003 Network Logon Script
Comments
This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1053.001 At (Linux)
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1053.002 At
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1053.003 Cron
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1053.005 Scheduled Task
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1053.006 Systemd Timers
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1070.007 Clear Network Connection History and Configurations
Comments
This control can detect changes to files associated with this technique.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1070.008 Clear Mailbox Data
Comments
This control can detect changes to files associated with this technique.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1070.009 Clear Persistence
Comments
This control can detect changes to files associated with this technique.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1070.010 Relocate Malware
Comments
This control can detect changes to files associated with this technique.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1098.004 SSH Authorized Keys
Comments
This control may detect changes to the SSH authorized keys file which may indicate establishment of persistence. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1137.002 Office Test
Comments
This control may detect changes to the Windows registry to establish persistence with the Office Test sub-technique. The specificity of registry keys involved may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1222 File and Directory Permissions Modification
Comments
This control can detect file and directory permissions modification.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1222.001 Windows File and Directory Permissions Modification
Comments
This control can detect changes to the permissions of Windows and Linux files and can be used to detect modifications to sensitive directories and files that shouldn't change frequently. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1222.002 Linux and Mac File and Directory Permissions Modification
Comments
This control can detect changes to the permissions of Windows and Linux files and can be used to detect modifications to sensitive directories and files that shouldn't change frequently. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1505.004 IIS Components
Comments
This control can detect when files associated with the technique are created or modified, such as %windir%\system32\inetsrv\config\applicationhost.config.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1505.005 Terminal Services DLL
Comments
This control can detect when files or registry keys associated with this technique are created or modified, such as termsrv.dll and ServiceDll.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1543 Create or Modify System Process
Comments
This control can detect creation or modification of system-level processes.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1543.002 Systemd Service
Comments
This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1543.003 Windows Service
Comments
This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546 Event Triggered Execution
Comments
The detection score for this technique was assessed as Partial because it doesn't detect some of the sub-techniques of this technique such as Windows Management Instrumentation (WMI) Event Subscription and Trap sub-techniques. Additionally for some sub-techniques, this control can be noisy.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.001 Change Default File Association
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.002 Screensaver
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.004 Unix Shell Configuration Modification
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.007 Netsh Helper DLL
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.008 Accessibility Features
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.009 AppCert DLLs
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.011 Application Shimming
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.012 Image File Execution Options Injection
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.013 PowerShell Profile
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.016 Installer Packages
Comments
This control can detect event triggered execution via installer packages.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1546.017 Udev Rules
Comments
This control can detect event triggered execution via udev rules.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547 Boot or Logon Autostart Execution
Comments
This control can detect boot or logon autostart execution.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.001 Registry Run Keys / Startup Folder
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.002 Authentication Package
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.003 Time Providers
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.004 Winlogon Helper DLL
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.005 Security Support Provider
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.006 Kernel Modules and Extensions
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.008 LSASS Driver
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.009 Shortcut Modification
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.010 Port Monitors
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.012 Print Processors
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1547.014 Active Setup
Comments
This control can detect commands or registry key modifications associated with Active Setup such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1548.003 Sudo and Sudo Caching
Comments
This control may detect changes to the sudoers file which may indicate privilege escalation. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1553 Subvert Trust Controls
Comments
This control can be used to detect a subset of this technique's sub-techniques while minimizing the false positive rate.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1553.003 SIP and Trust Provider Hijacking
Comments
This control can detect modifications made to the Registry keys used to register Windows Subject Interface Packages (SIPs). Because this sub-technique can be accomplished without modifying the Registry via DLL Search Order Hijacking, it has been scored as Partial. The related Registry keys should not change often and therefore the false positive rate should be minimal. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1553.004 Install Root Certificate
Comments
This control can be used to detect when the system root certificates has changed by detecting the corresponding Registry or File system modifications that occur as a result. These root certificates should not change often and therefore the false positive rate is minimal. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1556 Modify Authentication Process
Comments
This control is effective for detecting the Registry and file system artifacts that are generated during the execution of some variations of this technique while minimizing false positives due to the locations being monitored changing infrequently (e.g. /etc/pam.d/).
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1556.002 Password Filter DLL
Comments
The Registry key used to register a Password Filter DLL can be monitored for changes using this control providing substantial coverage of this sub-technique. This key should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1556.003 Pluggable Authentication Modules
Comments
The PAM configuration and module paths (/etc/pam.d/) can be monitored for changes using this control. The files in this path should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1556.007 Hybrid Identity
Comments
This control can monitor for suspicious modification of files associated with hybrid identity authentication processes, such as configuration files.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1556.008 Network Provider DLL
Comments
This control can monitor for creation or changes to registry keys associated with network provider DLL such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\NetworkProvider and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1564.008 Email Hiding Rules
Comments
This control can detect when files are modified related to email rules such as RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist on MacOS.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1564.009 Resource Forking
Comments
This control can detect when files are created or modified related to resource forking.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1564.012 File/Path Exclusions
Comments
This control can detect when files are created in folders associated with or spoofing that of trusted applications.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1574.006 Dynamic Linker Hijacking
Comments
This control may detect changes to the ld.so.preload file which may indicate an attempt to hijack execution flow. This sub-technique may also be utilized through an environment variable which this control may not detect. This control at worst scans for changes on an hourly basis.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1574.007 Path Interception by PATH Environment Variable
Comments
This control can detect file changes on VMs indicative of Path Interception by PATH Environment Variable.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1574.008 Path Interception by Search Order Hijacking
Comments
This control can detect file changes on VMs indicative of Path Interception by Search Order Hijacking.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1574.009 Path Interception by Unquoted Path
Comments
This control can detect file changes on VMs indicative of Path Interception by Unquoted Path.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect partial T1574.014 AppDomainManager
Comments
This control can detect file changes on VMs indicative of hijacking of the AppDomainManager.
References
file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring detect significant T1053 Scheduled Task/Job
Comments
This control can detect scheduled tasks/jobs.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening detect minimal T1525 Implant Internal Image
Comments
This control may alert on Docker containers that are misconfigured or do not conform to CIS Docker Benchmarks. This may result in detection of container images implanted within Linux VMs with specific vulnerabilities or misconfigurations for malicious purposes.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1005 Data from Local System
Comments
This control may provide recommendations that limit the ability of an attacker to gain access to a host from a container, preventing the attacker from discovering and compromising local system data.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1021 Remote Services
Comments
This control can protect against abuse of remote services.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1021.004 SSH
Comments
This control may provide recommendations to ensure sshd is not running within Docker containers. This can prevent attackers from utilizing unmonitored SSH servers within containers. This may not prevent attackers from installing a SSH server in containers or hosts.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1040 Network Sniffing
Comments
This control may recommend usage of TLS to encrypt communication between the Docker daemon and clients. This can prevent possible leakage of sensitive information through network sniffing.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1068 Exploitation for Privilege Escalation
Comments
This control may provide recommendations on how to reduce the surface area and mechanisms by which an attacker could escalate privileges.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1083 File and Directory Discovery
Comments
This control may provide recommendations to ensure sensitive host system directories are not mounted in the container.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1548 Abuse Elevation Control Mechanism
Comments
This control is only relevant for Linux endpoints containing Docker containers.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect minimal T1548.001 Setuid and Setgid
Comments
This control may provide recommendations to remove setuid and setguid permissions from container images. It may not be feasible to audit and remediate all binaries that have and require setuid and setguid permissions.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect partial T1021.007 Cloud Services
Comments
This control can protect against abuse of remote cloud services.
References
docker_host_hardening Microsoft Defender for Cloud: Docker Host Hardening protect partial T1021.008 Direct Cloud VM Connections
Comments
This control can protect against abuse of direct cloud VM connections.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect partial T1098 Account Manipulation
devops_security Microsoft Defender for Cloud: DevOps Security protect partial T1098.001 Additional Cloud Credentials
Comments
This capability can protect against creation of additional cloud credentials by requiring DevOps best practices.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect partial T1213.003 Code Repositories
Comments
This control can protect against repository misconfigurations.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect partial T1552.007 Container API
Comments
This capability can protect against unsecured Container API credentials by ensuring credential security is part of the DevOps process.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect partial T1557 Adversary-in-the-Middle
Comments
This capability can protect against adversary-in-the-middle attacks by ensuring encryption is baked into the DevOps process of applications.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect partial T1564.009 Resource Forking
Comments
This control can provide DevOps guidance that applications should use the application bundle structure which leverages the /Resources folder location to mitigate resource forking.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect partial T1593.003 Code Repositories
Comments
This control can protect code repositories by employing DevSecOps best practices.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect significant T1189 Drive-by Compromise
Comments
This capability can protect against drive by compromise by ensuring application security is baked into DevOps.
References
devops_security Microsoft Defender for Cloud: DevOps Security protect significant T1190 Exploit Public-Facing Application
Comments
This capability can protect against exploitation of public facing applications by ensuring application security is baked into DevOps.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1078 Valid Accounts
Comments
This control only provides alerts for a set of Azure database offerings. Databases that have been deployed to endpoints within Azure or third-party databases deployed to Azure do not generate alerts for this control.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110 Brute Force
Comments
This control covers the majority of sub-techniques for this parent technique and may cover both successful and unsuccessful brute force attacks. This control only provides alerts for a set of Azure database offerings. Databases that have been deployed to endpoints within Azure or third-party databases deployed to Azure do not generate alerts for this control.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110.001 Password Guessing
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110.003 Password Spraying
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110.004 Credential Stuffing
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1190 Exploit Public-Facing Application
Comments
This control may alert on usage of faulty SQL statements. This generates an alert for a possible SQL injection by an application. Alerts may not be generated on usage of valid SQL statements by attackers for malicious purposes.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1213 Data from Information Repositories
Comments
This control may alert on extraction of a large amount of data to an unusual location. No documentation is provided on the logic for determining an unusual location.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect partial T1078.004 Cloud Accounts
Comments
This control may alert on logon events that are suspicious. This includes logins from unusual locations, logins from suspicious IP addresses, and users that do not commonly access the resource. These alerts may limit the ability of an attacker to utilize a valid cloud account to access and manipulate Azure databases.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1040 Network Sniffing
Comments
This control's recommendations related to enforcing the usage of the secure versions of the HTTP and FTP protocols (HTTPS and FTPS) can lead to encrypting traffic which reduces the ability for an adversary to gather sensitive data via network sniffing. This also applies to the "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", "Enforce SSL connection should be enabled for MySQL database servers", "Enforce SSL connection should be enabled for PostgreSQL database servers", "Only secure connections to your Redis Cache should be enabled" and "Secure transfer to storage accounts should be enabled" recommendations for their respective protocols. The "Usage of host networking and ports should be restricted" recommendation for Kubernetes clusters can also lead to mitigating this technique. These recommendations are limited to specific technologies on the platform and therefore its coverage score is Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1053 Scheduled Task/Job
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a few of the sub-techniques of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1053.003 Cron
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1053.006 Systemd Timers
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1078 Valid Accounts
Comments
This control's recommendations about removing deprecated and external accounts with sensitive permissions from your subscription can lead to mitigating the Cloud Accounts sub-technique of this technique. Because this is a recommendation and has low coverage, it is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1078.004 Cloud Accounts
Comments
This control's "Deprecated accounts should be removed from your subscription" and "Deprecated accounts with owner permissions should be removed from your subscription" recommendation can lead to removing accounts that should not be utilized from your subscriptions thereby denying adversaries the usage of these accounts to find ways to access your data without being noticed. Likewise, the recommendations related to External account permissions can also mitigate this sub-technique. Because these are recommendations and only limited to deprecated and external accounts, this is scored as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1098 Account Manipulation
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can prevent modifying the ssh_authorized keys file. Because it is a recommendation and limited to only one sub-technique, its score is Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1098.004 SSH Authorized Keys
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of a Kubernetes container's file system which can mitigate this technique. Because this recommendation is specific to Kubernetes containers, its score is Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1110 Brute Force
Comments
This control's "Authentication to Linux machines should require SSH keys" recommendation can lead to obviating SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1110.001 Password Guessing
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1110.003 Password Spraying
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1110.004 Credential Stuffing
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1136 Create Account
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1190 Exploit Public-Facing Application
Comments
This control's CORS related recommendations can help lead to hardened web applications. This can reduce the likelihood of an application being exploited to reveal sensitive data that can lead to the compromise of an environment. Likewise this control's recommendations related to keeping Java/PHP up to date for API/Function/Web apps can lead to hardening the public facing content that uses these runtimes. This control's recommendations related to disabling Public network access for Azure databases can lead to reducing the exposure of resources to the public Internet and thereby reduce the attack surface. These recommendations are limited to specific technologies (Java, PHP and CORS, SQL DBs) and therefore provide Minimal coverage leading to a Minimal score.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1222 File and Directory Permissions Modification
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1222.002 Linux and Mac File and Directory Permissions Modification
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the modification of the file system permissions in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1499 Endpoint Denial of Service
Comments
This control provides recommendations for limiting the CPU and memory resources consumed by a container to minimize resource exhaustion attacks. Because this control only covers one sub-technique of this technique, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1505 Server Software Component
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1505.003 Web Shell
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modifications to the file system in Kubernetes containers which can mitigate adversaries installing web shells. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1543 Create or Modify System Process
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1543.002 Systemd Service
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of systemd service files in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1546 Event Triggered Execution
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1546.004 Unix Shell Configuration Modification
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of the file system in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1556 Modify Authentication Process
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-techniques of this technique. Due to it being a recommendation and providing minimal coverage, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1556.003 Pluggable Authentication Modules
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing this sub-technique which often modifies Pluggable Authentication Modules (PAM) components in the file system. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1564 Hide Artifacts
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate some of the sub-techniques of this technique. Due to its partial coverage and Minimal score assessed for its sub-techniques, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1564.001 Hidden Files and Directories
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1564.005 Hidden File System
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1564.006 Run Virtual Instance
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect minimal T1565 Data Manipulation
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation and mitigating only one sub-technique, its score is assessed as Minimal.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1068 Exploitation for Privilege Escalation
Comments
This control's "Container with privilege escalation should be avoided", "Least privileged Linux capabilities should be enforced for containers", "Privileged containers should be avoided", "Running containers as root user should be avoided" and "Containers sharing sensitive host namespaces should be avoided" recommendations can make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities. Because this is a recommendation, the assessed score has been capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1074 Data Staged
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1074.001 Local Data Staging
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1080 Taint Shared Content
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" and "Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers" recommendations can mitigate this technique. Due to it being a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1133 External Remote Services
Comments
This control's "Management ports should be closed on your virtual machines" recommendation can lead to reducing the attack surface of your Azure VMs by recommending closing management ports. Because this is a recommendation, its score is limited to Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1136.001 Local Account
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing system files from being modified in Kubernetes containers thereby mitigating this sub-technique since adding an account (on Linux) requires modifying system files. Because this is a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1485 Data Destruction
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1486 Data Encrypted for Impact
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1499.001 OS Exhaustion Flood
Comments
This control's "Container CPU and memory limits should be enforced" recommendation can lead to preventing resource exhaustion attacks by recommending enforcing limits for containers to ensure the runtime prevents the container from using more than the configured resource limit. Because this is a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1525 Implant Internal Image
Comments
This control's "Container images should be deployed from trusted registries only", "Container registries should not allow unrestricted network access" and "Container registries should use private link" recommendations can lead to ensuring that container images are only loaded from trusted registries thereby mitigating this technique.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1542 Pre-OS Boot
Comments
This control provides recommendations for enabling Secure Boot of Linux VMs that can mitigate a few of the sub-techniques of this technique. Because this is a recommendation and only limited to a few sub-techniques of this technique, its assessed score is Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1542.001 System Firmware
Comments
This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1542.003 Bootkit
Comments
This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1554 Compromise Host Software Binary
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of binaries in Kubernetes containers thereby mitigating this technique. Because this is a recommendation, its score is capped at Partial.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1562.010 Downgrade Attack
Comments
This control may prevent downgrade attacks by enforcing use of HTTPS protocol.
References
ai_security_recommendations Microsoft Defender for Cloud: AI Security Recommendations protect partial T1565.001 Stored Data Manipulation
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Likewise this control's recommendations related to using customer-managed keys to encrypt data at rest and enabling transparent data encryption for SQL databases can mitigate this sub-technique by reducing an adversary's ability to perform tailored data modifications. Due to it being a recommendation, its score is capped at Partial.
References
ai_threat_protection Microsoft Defender for Cloud: AI Threat Protection detect partial T1090.003 Multi-hop Proxy
Comments
This capability can detect (alert: AI.Azure_AccessFromAnonymizedIP) when an AI is accessed from a Tor network IP.
References
ai_threat_protection Microsoft Defender for Cloud: AI Threat Protection detect partial T1491 Defacement
Comments
This capability can alert (using AI.Azure_MaliciousUrl.ModelResponse) when an AI model has shared a malicious URL with a user.
References
ai_threat_protection Microsoft Defender for Cloud: AI Threat Protection detect partial T1552 Unsecured Credentials
Comments
This control provides detection of unsecured credentials being divulged by AI model responses.
References
ai_threat_protection Microsoft Defender for Cloud: AI Threat Protection detect significant T1496.004 Cloud Service Hijacking
Comments
This capability has multiple alerts (AI.Azure_DOWDuplicateRequests, AI.Azure_DOWVolumeAnomaly) that can detect abuse of an AI for financial impact on an organization.
References
alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB detect minimal T1078 Valid Accounts
Comments
This control's detection is specific to the Cosmos DB and therefore provides minimal overall detection coverage for Valid Accounts resulting in a Minimal score. A relevant alert is "Access from an unusual location to a Cosmos DB account".
References
alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB detect minimal T1078.004 Cloud Accounts
Comments
This control triggers an alert when there is a change in the access pattern to an Azure Cosmos account based on access from an unusual geographical location. False positives are fairly likely and misuse from a typical location is not covered, so score is Minimal. Relevant alert is "Access from an unusual location to a Cosmos DB account"
References
alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB detect minimal T1213 Data from Information Repositories
Comments
This control triggers an alert when an unusually large amount of data is extracted from/by an account compared to recent activity. False positives are fairly likely and extraction in quantities below the control's threshold is not detected, so score is Minimal. Neither of the sub-techniques are relevant in this context, since they are repository-specific. Relevant alert is "Unusual amount of data extracted from a Cosmos DB account"
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect minimal T1071 Application Layer Protocol
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on block list.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect minimal T1071.001 Web Protocols
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect minimal T1071.002 File Transfer Protocols
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect minimal T1071.003 Mail Protocols
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect minimal T1071.004 DNS
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect partial T1071.005 Publish/Subscribe Protocols
Comments
This control can identify connections to known malicious sites.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect partial T1133 External Remote Services
Comments
This control can potentially identify malicious use of remote services via alerts such as "Suspicious incoming RDP network activity" and "Suspicious Incoming SSH network activity".
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect significant T1110 Brute Force
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline. It provides significant detection from most of this technique's sub-techniques and procedure examples resulting in an overall score of Significant.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect significant T1110.001 Password Guessing
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect significant T1110.003 Password Spraying
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
References
alerts_for_azure_network_layer Alerts for Azure Network Layer detect significant T1110.004 Credential Stuffing
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
References
alerts_for_dns Alerts for DNS detect minimal T1048 Exfiltration Over Alternative Protocol
Comments
Can detect anomalous use of DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
alerts_for_dns Alerts for DNS detect minimal T1071 Application Layer Protocol
Comments
Can detect potential DNS protocol misuse/anomalies. Technique coverage is restricted to DNS and therefore results in a Minimal score.
References
alerts_for_dns Alerts for DNS detect minimal T1090 Proxy
Comments
Can detect DNS activity to anonymity networks e.g. TOR. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
alerts_for_dns Alerts for DNS detect minimal T1572 Protocol Tunneling
Comments
Can identify protocol misuse/anomalies in DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
alerts_for_dns Alerts for DNS detect partial T1568 Dynamic Resolution
Comments
Can identify "random" DNS occurences which can be associated with domain generation algorithm or Fast Flux sub-techniques. Partial for coverage and accuracy (potential for false positive/benign).
References
alerts_for_dns Alerts for DNS detect partial T1568.001 Fast Flux DNS
Comments
Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
References
alerts_for_dns Alerts for DNS detect partial T1568.002 Domain Generation Algorithms
Comments
Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
References
alerts_for_dns Alerts for DNS detect significant T1071.004 DNS
Comments
Can alert on anomalies and misuse of the DNS protocol.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1021 Remote Services
Comments
This control is only relevant for Linux environments. Among the sub-techinques that are relevant for Linux, this control may only alert on SSH.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1027 Obfuscated Files or Information
Comments
This control only provides detection coverage for the Compile After Delivery sub-technique while not providing detection for all other sub-techniques relevant to the Linux platform or most of its procedure examples. As a result of this minimal coverage, the overall score is assessed as Minimal.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1027.004 Compile After Delivery
Comments
This control may alert on suspicious compilation. No documentation is provided on the logic for determining a suspicious compilation event.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1059 Command and Scripting Interpreter
Comments
This control may alert on suspicious Unix shell and PHP execution. Mismatched script extensions may also generate alerts of suspicious activity. Only one of the technique's sub-techniques is covered, resulting in a score of Minimal.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1068 Exploitation for Privilege Escalation
Comments
This control may alert on suspicious arguments used to exploit Xorg vulnerabilities for privilege escalation.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1098 Account Manipulation
Comments
This control provides partial detection for only one of this technique's sub-techniques and does not cover most of its procedure examples, resulting in a score of Minimal.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1136 Create Account
Comments
This control is only relevant for Linux endpoints, and it provides partial coverage for the only sub-technique relevant on Linux endpoints, Local Account.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1505 Server Software Component
Comments
This control provides coverage for the only sub-technique this control is relevant for, Web Shell, but that coverage is Minimal.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1505.003 Web Shell
Comments
This control may alert on usage of web shells. No documentation is provided on logic for this detection.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1547 Boot or Logon Autostart Execution
Comments
This control is only relevant for Linux endpoint machines and the only sub-technique relevant for Linux is Kernel Modules and Extensions.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1562 Impair Defenses
Comments
This control only provides coverage for a miniority of the sub-techniques under this technique and provides no coverage for other relevant sub-techniques, such as Impair Command History Logging or Disable or Modify Tools, resulting in a score of Minimal.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1562.006 Indicator Blocking
Comments
This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1564 Hide Artifacts
Comments
This control only provides coverage for a minority of this technique's relevant sub-techniques, resulting in a score of Minimal.
References
alerts_for_linux_machines Alerts for Linux Machines detect minimal T1564.001 Hidden Files and Directories
Comments
This control may alert on the execution of hidden files. Since this control is only triggered on execution, it may not fire on a variety of hidden files or directories that are being utilized for malicious purposes.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1003 OS Credential Dumping
Comments
This control is only relevant for Linux environments, and provides partial coverage for one of the technique's two Linux-relevant sub-techniques.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1003.008 /etc/passwd and /etc/shadow
Comments
This control may alert on suspicious access to encrypted user passwords. The documentation does not reference "/etc/passwd" and "/etc/shadow" directly nor does it describe the logic in determining suspicious access.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1021.004 SSH
Comments
This control may alerts on SSH brute force attempts, addition of new SSH keys, and usage of a SSH server within a container. Alerts may not be generated by usage of existing SSH keys by malicious actors for lateral movement.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1021.007 Cloud Services
Comments
This control can detect abuse of remote services.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1021.008 Direct Cloud VM Connections
Comments
This control can detect direct cloud VM connections.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1027.008 Stripped Payloads
Comments
This control can detect stripped payloads.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1027.009 Embedded Payloads
Comments
This control can detect embedded payloads.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1027.010 Command Obfuscation
Comments
This control can detect command obsfucation attacks.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1027.013 Encrypted/Encoded File
Comments
This control can detect obsfucation via encrypted/encoded files.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1027.014 Polymorphic Code
Comments
This control can detect obsfucation via polymorphic code.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1036.008 Masquerade File Type
Comments
This control can detect if files are created or edited where the header and extension do not match.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1059.004 Unix Shell
Comments
This control may alert on suspicious commandline activity. Alerts may be generated on possible detection of shellcode usage on the commandline, based on arguments, location, user, etc.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1070 Indicator Removal
Comments
This control is only relevant for Linux environments and provides partial coverage for multiple Linux-relevant sub-techniques.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1070.002 Clear Linux or Mac System Logs
Comments
This control may alert on possible log tampering activity, including deletion of logs. No documentation is provided on which log sources are targeted by this control.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1070.003 Clear Command History
Comments
This control may alert on clearing of the command history file. Documentation is not provided on the logic for detecting when the command history is cleared but on Linux machines the location of the history file tends not to change from the default.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1098.004 SSH Authorized Keys
Comments
This control may alert on addition of new SSH keys to the authorized key file and unusual process access of the authorized key file.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1110 Brute Force
Comments
This control provides partial coverage for most of this technique's sub-techniques and procedures.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1110.001 Password Guessing
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1110.003 Password Spraying
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1110.004 Credential Stuffing
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1113 Screen Capture
Comments
This control may alert on usage of a screenshot tool. Documentation is not provided on the logic for determining a screenshot tool.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1136.001 Local Account
Comments
This control may alert on usage of the useradd command to create new users and the creation of local user accounts with suspicious similarity to other account names.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1525 Implant Internal Image
Comments
This control may alert on suspicious container images running mining software or SSH servers. Privileged Docker containers and privileged commands running within containers may also be detected. These alerts are only generated on containers in Linux endpoint machines and not for containers running from Azure Docker deployment.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1547.006 Kernel Modules and Extensions
Comments
This control may alert on a suspicious shared object file being loaded as a kernel module. No documentation is provided on the logic but kernel module loading is a relatively rare event and can only be done with a small set of commands.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1547.013 XDG Autostart Entries
Comments
This control can detect command execution associated with xdg modification.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1555.002 Securityd Memory
Comments
This control can detect command execution associated with this technique.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1555.003 Credentials from Web Browsers
Comments
This control can detect command execution associated with this technique.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1555.005 Password Managers
Comments
This control can detect command execution associated with this technique.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1562.004 Disable or Modify System Firewall
Comments
This control may alert on manipulation of the on-host firewall. Firewall rules should not be changed often in a standard environment and such an event can provide a high fidelity alert.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1562.012 Disable or Modify Linux Audit System
Comments
This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.
References
alerts_for_linux_machines Alerts for Linux Machines detect partial T1564.006 Run Virtual Instance
Comments
This control may alert on containers using privileged commands, running SSH servers, or running mining software.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1003 OS Credential Dumping
Comments
This control provides detection for a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal. Furthermore, its detection capability relies on detecting the usage of specific tools (e.g. sqldumper.exe) further adversely impacting its score.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1003.004 LSA Secrets
Comments
This control may detect when the registry is modified to allow logon credentials to be stored in clear text in LSA memory. This change allows a threat actor to gain plain text credentials from the host machine. The following alerts may be generated: "Detected enabling of the WDigest UseLogonCredential registry key".
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1027 Obfuscated Files or Information
Comments
This control may detect usage of VBScript.Encode and base-64 encoding to obfuscate malicious commands and scripts. The following alerts may be generated: "Detected suspicious execution of VBScript.Encode command", "Detected encoded executable in command line data".
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1048 Exfiltration Over Alternative Protocol
Comments
This control's detection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Comments
This control may detect suspicious use of the Telegram tool for transferring malicious binaries across hosts. The following alerts may be generated: "Detected potentially suspicious use of Telegram tool".
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1059 Command and Scripting Interpreter
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1070 Indicator Removal
Comments
This control's detection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1082 System Information Discovery
Comments
This control may detect local reconnaissance activity specific to using the systeminfo commands. The following alerts may be generated: "Detected possible local reconnaissance activity".
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1136 Create Account
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1202 Indirect Command Execution
Comments
This control may detect suspicious use of Pcalua.exe to launch executable code. There are other methods of indirect command execution that this control may not detect. The following alerts may be generated: "Detected suspicious use of Pcalua.exe to launch executable code".
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1218 System Binary Proxy Execution
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1222 File and Directory Permissions Modification
Comments
This control provides minimal detection for some of this technique's sub-techniques resulting in an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1222.001 Windows File and Directory Permissions Modification
Comments
This control may detect the usage of cacls.exe to modify file and directory permissions. The following alerts may be generated: "Detected suspicious use of Cacls to lower the security state of the system".
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1489 Service Stop
Comments
This control may detect when critical services have been disabled through the usage of specifically net.exe. The following alerts may be generated: "Detected the disabling of critical services".
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1543 Create or Modify System Process
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1546 Event Triggered Execution
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1547 Boot or Logon Autostart Execution
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1548 Abuse Elevation Control Mechanism
Comments
The only sub-technique scored (Bypass User Account Control) is the only one relevant to Windows.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1548.002 Bypass User Account Control
Comments
This control may detect when User Account Control is bypassed by manipulating the Windows registry. There may be other methods to Bypass User Account Control which limits the score to Minimal. The following alerts may be generated: "Detected change to a registry key that can be abused to bypass UAC"
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1558 Steal or Forge Kerberos Tickets
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1562 Impair Defenses
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1564 Hide Artifacts
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1027.008 Stripped Payloads
alerts_for_windows_machines Alerts for Windows Machines detect partial T1027.009 Embedded Payloads
alerts_for_windows_machines Alerts for Windows Machines detect partial T1027.010 Command Obfuscation
alerts_for_windows_machines Alerts for Windows Machines detect partial T1027.013 Encrypted/Encoded File
alerts_for_windows_machines Alerts for Windows Machines detect partial T1027.014 Polymorphic Code
alerts_for_windows_machines Alerts for Windows Machines detect partial T1036.008 Masquerade File Type
Comments
This control can detect if commands are executed that are otherwise non-executable file types.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1053.007 Container Orchestration Job
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055 Process Injection
Comments
This control's Fileless Attack Detection covers all relevant sub-techniques. Detection is periodic at an unknown rate.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.001 Dynamic-link Library Injection
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.002 Portable Executable Injection
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.003 Thread Execution Hijacking
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.004 Asynchronous Procedure Call
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.005 Thread Local Storage
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.011 Extra Window Memory Injection
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.012 Process Hollowing
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.013 Process Doppelgänging
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1059.009 Cloud API
alerts_for_windows_machines Alerts for Windows Machines detect partial T1059.010 AutoHotKey & AutoIT
alerts_for_windows_machines Alerts for Windows Machines detect partial T1059.011 Lua
alerts_for_windows_machines Alerts for Windows Machines detect partial T1068 Exploitation for Privilege Escalation
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1070.001 Clear Windows Event Logs
Comments
This control may detect when an event log has been cleared or IIS logs have been deleted. The following alerts may be generated: "Detected actions indicative of disabling and deleting IIS log files", "An event log was cleared".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1070.004 File Deletion
Comments
This control may detect suspicious file cleanup commands and shadow copy deletion activity. The following alerts may be generated: "Detected suspicious file cleanup commands", "Suspicious Volume Shadow Copy Activity".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1070.007 Clear Network Connection History and Configurations
alerts_for_windows_machines Alerts for Windows Machines detect partial T1070.008 Clear Mailbox Data
alerts_for_windows_machines Alerts for Windows Machines detect partial T1070.009 Clear Persistence
alerts_for_windows_machines Alerts for Windows Machines detect partial T1078 Valid Accounts
Comments
This control is able to detect some of this technique's sub-techniques resulting in a Partial Coverage score and consequently an overall score of Partial.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1078.001 Default Accounts
Comments
This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1078.003 Local Accounts
Comments
This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1087 Account Discovery
Comments
This control provides partial detection for some of this technique's sub-techniques and procedure examples resulting in a Partial Coverage score and consequently an overall score of Partial.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1087.001 Local Account
Comments
This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: "Multiple Domain Accounts Queried", "Local Administrators group members were enumerated".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1087.002 Domain Account
Comments
This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: "Multiple Domain Accounts Queried", "Local Administrators group members were enumerated".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1105 Ingress Tool Transfer
Comments
This control may detect usage of malware droppers and creation of suspicious files on the host machine. The following alerts may be generated: "Detected possible execution of malware dropper", "Detected suspicious file creation".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1110 Brute Force
Comments
This control provides detection for some of this technique's sub-techniques and procedure examples resulting in a Partial Coverage score and consequently an overall score of Partial.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1112 Modify Registry
Comments
This control may detect several methods used to modify the registry for purposes of persistence, privilege elevation, and execution. The following alerts may be generated: "Detected change to a registry key that can be abused to bypass UAC", "Detected enabling of the WDigest UseLogonCredential registry key", "Detected suppression of legal notice displayed to users at logon", "Suspicious WindowPosition registry value detected", "Windows registry persistence method detected".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1134 Access Token Manipulation
Comments
This control can detect when commands associated with this technique are executed, such as runas.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1136.001 Local Account
Comments
This control may detect when an account is created with an account name that closely resembles a standard Windows account or group name. This may be an account created by an attacker to blend into the environment. The following alerts may be generated: "Suspicious Account Creation Detected".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1140 Deobfuscate/Decode Files or Information
Comments
This control may detect decoding of suspicious files by certutil.exe and may detect the presence of various encoding schemes to obfuscate malicious scripts and commandline arguments. The following alerts may be generated: "Suspicious download using Certutil detected", "Suspicious download using Certutil detected [seen multiple times]", "Detected decoding of an executable using built-in certutil.exe tool".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1189 Drive-by Compromise
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1190 Exploit Public-Facing Application
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1203 Exploitation for Client Execution
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1204 User Execution
Comments
This control provides detection for one of the two sub-techniques of this technique, Malicious File, resulting in a Partial Coverage score and consequently an overall score of Partial.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1204.002 Malicious File
Comments
This control may detect the usage of a malware dropper and other indicators of a malicious file being executed by the user. The following alerts may be generated: "Detected possible execution of keygen executable", "Detected possible execution of malware dropper", "Detected suspicious file creation".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1204.003 Malicious Image
Comments
This capability can detect when commands are executed that are associated with this technique.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1210 Exploitation of Remote Services
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1211 Exploitation for Defense Evasion
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1212 Exploitation for Credential Access
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1218.005 Mshta
Comments
This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: "Detected suspicious execution via rundll32.exe", "Detected suspicious combination of HTA and PowerShell".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1218.011 Rundll32
Comments
This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: "Detected suspicious execution via rundll32.exe", "Detected suspicious combination of HTA and PowerShell".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1218.013 Mavinject
Comments
This control may detect usage of the argument INJECTRUNNING which is required for mavinject.exe.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1218.014 MMC
alerts_for_windows_machines Alerts for Windows Machines detect partial T1218.015 Electron Applications
Comments
This control may detect commands invoking teams.exe or chrome.exe and analyze whether they are being used to execute malicious or abnormal content.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1505.004 IIS Components
Comments
This control can detect when commands associated with installing IIS web servers are executed, such as AppCmd.exe.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1505.005 Terminal Services DLL
Comments
This control can detect when commands associated with this technique are executed, such as reg.exe.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1543.003 Windows Service
Comments
This control may detect when the tscon.exe binary is installed as a service to exploit RDP sessions or when a rare service group is executed under SVCHOST. The following alerts may be generated: "Suspect service installation".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1543.005 Container Service
Comments
This control can detect when commands associated with container services are executed, such as docker or podman.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1546.002 Screensaver
Comments
This control may detect when a suspicious screensaver process is executed, based on the location of the .scr file. Because this detection is based solely on the location of the file, it has been scored as Partial. The following alerts may be generated: "Suspicious Screensaver process executed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1546.008 Accessibility Features
Comments
This control may detect when the binary for the sticky keys utility has been replaced, possibly to gain persistence or execution. The following alerts may be generated: "Sticky keys attack detected".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1547.001 Registry Run Keys / Startup Folder
Comments
This control may detect when the Registry is leveraged to gain persistence. The following alerts may be generated: "Windows registry persistence method detected".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1552.001 Credentials In Files
Comments
This control can detect when commands associated with searching for passwords are executed.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1553.006 Code Signing Policy Modification
Comments
This control can be used to monitor for the execution of commands that could modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1555.003 Credentials from Web Browsers
alerts_for_windows_machines Alerts for Windows Machines detect partial T1555.004 Windows Credential Manager
alerts_for_windows_machines Alerts for Windows Machines detect partial T1555.005 Password Managers
alerts_for_windows_machines Alerts for Windows Machines detect partial T1556.005 Reversible Encryption
Comments
This control can monitor for command execution related to reversible encryption such as -AllowReversiblePasswordEncryption $true.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1558.001 Golden Ticket
Comments
This control may detect commandline parameters consistent with a Kerberos Golden Ticket attack. The following alerts may be generated: "Suspected Kerberos Golden Ticket attack parameters observed".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1562.001 Disable or Modify Tools
Comments
This control may detect when critical services have been disabled, such as Windows Security Center. This control may also detect when IIS logging has been disabled. The following alerts may be generated: "Detected the disabling of critical services", "Detected actions indicative of disabling and deleting IIS log files".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1562.004 Disable or Modify System Firewall
Comments
This control may detect modification of the Windows firewall through use of netsh.exe or using a method that matches a known threat actor. The following alerts may be generated: "Malicious firewall rule created by ZINC server implant [seen multiple times]", "Detected suspicious new firewall rule".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1562.009 Safe Mode Boot
Comments
This control may detect executed commands indicative of changes to boot settings such as bcdedit.exe and bootcfg.exe
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1562.010 Downgrade Attack
Comments
This control may detect executed commands indicative of indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2).
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1563 Remote Service Session Hijacking
Comments
This control provides partial detection for some of this technique's sub-techniques resulting in a Partial Coverage score and consequently an overall score of Partial.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1563.002 RDP Hijacking
Comments
This control may detect RDP hijacking through use of the tscon.exe binary. The following alerts may be generated: "Suspect integrity level indicative of RDP hijacking", "Suspect service installation".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1564.003 Hidden Window
Comments
This control may detect usage of the WindowPosition Registry value to hide application windows in non-visible sections of the desktop. The following alerts may be generated: "Suspicious WindowPosition registry value detected".
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1564.008 Email Hiding Rules
Comments
This control can detect when commands are run on VMs that can indicate creation or modification of email rules such as New-InboxRule, Set-InboxRule, New-TransportRule, and Set-TransportRule.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1564.009 Resource Forking
alerts_for_windows_machines Alerts for Windows Machines detect partial T1564.011 Ignore Process Interrupts
Comments
This control can detect when commands are run related to process interrupts such as nohup.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1567.004 Exfiltration Over Webhook
alerts_for_windows_machines Alerts for Windows Machines detect partial T1574.013 KernelCallbackTable
Comments
This control can detect windows API calls on VMs indicative of Hijacking Execution Flow via KernelCallBack table such as WriteProcessMemory() and NtQueryInformationProcess().
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1612 Build Image on Host
alerts_for_windows_machines Alerts for Windows Machines detect partial T1614 System Location Discovery
Comments
This capability can detect if commands associated with this technique such as GetLocaleInfoW are executed.
References
alerts_for_windows_machines Alerts for Windows Machines detect partial T1614.001 System Language Discovery
alerts_for_windows_machines Alerts for Windows Machines detect partial T1622 Debugger Evasion
alerts_for_windows_machines Alerts for Windows Machines detect partial T1652 Device Driver Discovery
alerts_for_windows_machines Alerts for Windows Machines detect partial T1654 Log Enumeration
Comments
This capability can detect if commands associated with log enumeration (such as wevutil.exe on Windows and CollectGuestLogs.exe on Azure hosted VMs) are executed.
References
alerts_for_windows_machines Alerts for Windows Machines detect significant T1059.001 PowerShell
Comments
This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: "Detected anomalous mix of upper and lower case characters in command-line", "Detected encoded executable in command line data", "Detected obfuscated command line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious commandline arguments", "Detected suspicious commandline used to start all executables in a directory", "Detected suspicious credentials in commandline", "Dynamic PS script construction", "Suspicious PowerShell Activity Detected", "Suspicious PowerShell cmdlets executed", "Suspicious command execution".
References
alerts_for_windows_machines Alerts for Windows Machines detect significant T1059.003 Windows Command Shell
Comments
This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: "Detected anomalous mix of upper and lower case characters in command-line", "Detected encoded executable in command line data", "Detected obfuscated command line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious commandline arguments", "Detected suspicious commandline used to start all executables in a directory", "Detected suspicious credentials in commandline", "Dynamic PS script construction", "Suspicious PowerShell Activity Detected", "Suspicious PowerShell cmdlets executed", "Suspicious command execution".
References
alerts_for_windows_machines Alerts for Windows Machines detect significant T1110.001 Password Guessing
Comments
This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".
References
alerts_for_windows_machines Alerts for Windows Machines detect significant T1110.003 Password Spraying
Comments
This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".
References
alerts_for_windows_machines Alerts for Windows Machines detect significant T1110.004 Credential Stuffing
Comments
This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".
References
azure_backup Azure Backup respond partial T1561.002 Disk Structure Wipe
Comments
Allows for recovery of disk content, though Disk structure wipes require additional procedures for recovery.
References
azure_backup Azure Backup respond significant T1485 Data Destruction
Comments
Data backups provide a significant response to data destruction by enabling the restoration of data from backup.
References
azure_backup Azure Backup respond significant T1485.001 Lifecycle-Triggered Deletion
Comments
Data backups provide a significant response to data destruction by enabling the restoration of data from backup.
References
azure_backup Azure Backup respond significant T1486 Data Encrypted for Impact
Comments
Data backups provide a significant response to data encryption/ransomware by enabling the restoration of data from backup.
References
azure_backup Azure Backup respond significant T1491 Defacement
Comments
Data backups provide a significant response to data defacement attacks by enabling the restoration of data from backup.
References
azure_backup Azure Backup respond significant T1491.001 Internal Defacement
Comments
Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.
References
azure_backup Azure Backup respond significant T1491.002 External Defacement
Comments
Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.
References
azure_backup Azure Backup respond significant T1561 Disk Wipe
Comments
Data backups provide a significant response to disk wipe attacks by enabling the restoration of data from backup.
References
azure_backup Azure Backup respond significant T1561.001 Disk Content Wipe
Comments
Data backups provide a significant response to disk content wipe attacks by enabling the restoration of data from backup.
References
azure_ddos_protection Azure DDoS Protection protect significant T1498 Network Denial of Service
Comments
Designed to address multiple DDOS techniques including volumetric attacks.
References
azure_ddos_protection Azure DDoS Protection protect significant T1498.001 Direct Network Flood
Comments
This control can protect against network denial of service attacks.
References
azure_ddos_protection Azure DDoS Protection protect significant T1498.002 Reflection Amplification
Comments
This control can protect against network denial of service attacks.
References
azure_ddos_protection Azure DDoS Protection protect significant T1499 Endpoint Denial of Service
Comments
Protects against volumetric and protocol DOS, though not application.
References
azure_ddos_protection Azure DDoS Protection protect significant T1499.001 OS Exhaustion Flood
Comments
This control can protect against endpoint denial of service attacks.
References
azure_ddos_protection Azure DDoS Protection protect significant T1499.002 Service Exhaustion Flood
Comments
This control can protect against endpoint denial of service attacks.
References
azure_ddos_protection Azure DDoS Protection protect significant T1499.003 Application Exhaustion Flood
Comments
This control can protect against endpoint denial of service attacks.
References
azure_dedicated_hsm Azure Dedicated HSM protect minimal T1552 Unsecured Credentials
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
azure_dedicated_hsm Azure Dedicated HSM protect partial T1553 Subvert Trust Controls
Comments
Provides protection against sub-techniques involved with stealing credentials / certificates / keys from the organization.
References
azure_dedicated_hsm Azure Dedicated HSM protect partial T1553.002 Code Signing
Comments
Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.
References
azure_dedicated_hsm Azure Dedicated HSM protect partial T1553.004 Install Root Certificate
Comments
Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.
References
azure_dedicated_hsm Azure Dedicated HSM protect partial T1588 Obtain Capabilities
Comments
Provides protection against sub-techniques involved with stealing credentials / certificates / keys from the organization.
References
azure_dedicated_hsm Azure Dedicated HSM protect partial T1588.003 Code Signing Certificates
Comments
Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.
References
azure_dedicated_hsm Azure Dedicated HSM protect partial T1588.004 Digital Certificates
Comments
Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.
References
azure_dedicated_hsm Azure Dedicated HSM protect significant T1552.004 Private Keys
Comments
Provides significant protection of private keys.
References
azure_dns_alias_records Azure DNS Alias Records protect minimal T1584 Compromise Infrastructure
Comments
This control only provides protection for one of this technique's sub-techniques while not providing any protection for the remaining and therefore its coverage score factor is Minimal, resulting in a Minimal score.
References
azure_dns_alias_records Azure DNS Alias Records protect partial T1584.001 Domains
Comments
Alias records prevent dangling references by tightly coupling the life cycle of a DNS record with an Azure resource. For example, consider a DNS record that's qualified as an alias record to point to a public IP address or a Traffic Manager profile. If you delete those underlying resources, the DNS alias record becomes an empty record set. It no longer references the deleted resource. This control is effective for protecting DNS records that resolve to Azure resources but does not offer protection for records pointing to non-Azure resources, resulting in a Partial score.
References
azure_dns_analytics Azure DNS Analytics detect minimal T1041 Exfiltration Over C2 Channel
Comments
This control can potentially be used to forensically identify exfiltration via a DNS-based C2 channel.
References
azure_dns_analytics Azure DNS Analytics detect minimal T1048 Exfiltration Over Alternative Protocol
Comments
This control can identify anomalous / high talker DNS clients, possibly related to exfil via DNS
References
azure_dns_analytics Azure DNS Analytics detect minimal T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
Comments
This control can potentially be used to forensically identify exfiltration via DNS protocol.
References
azure_dns_analytics Azure DNS Analytics detect minimal T1071 Application Layer Protocol
Comments
This control can be used forensically to identify clients that communicated with identified C2 hosts via DNS.
References
azure_dns_analytics Azure DNS Analytics detect minimal T1071.004 DNS
Comments
This control can be used forensically to identify clients that communicated with identified C2 hosts.
References
azure_dns_analytics Azure DNS Analytics detect minimal T1566 Phishing
Comments
This control can be used forensically to identify DNS queries to known malicious sites, which may be evidence of phishing.
References
azure_dns_analytics Azure DNS Analytics detect minimal T1566.002 Spearphishing Link
Comments
This control can be used forensically to identify DNS queries to known malicious sites, which may be evidence of phishing.
References
azure_dns_analytics Azure DNS Analytics detect minimal T1568 Dynamic Resolution
Comments
This control can be used for after-the-fact analysis of potential fast-flux DNS C2
References
azure_dns_analytics Azure DNS Analytics detect minimal T1568.001 Fast Flux DNS
Comments
This control can be used for after-the-fact analysis of potential fast-flux DNS C2
References
azure_dns_analytics Azure DNS Analytics detect minimal T1568.002 Domain Generation Algorithms
Comments
This control can be used for after-the-fact analysis of potential fast-flux DNS C2
References
azure_firewall Azure Firewall detect partial T1557.003 DHCP Spoofing
Comments
This control can detect DHCP spoofing by monitoring network traffic.
References
azure_firewall Azure Firewall detect partial T1567.003 Exfiltration to Text Storage Sites
Comments
This control can detect exfiltration attempts to text storage sites.
References
azure_firewall Azure Firewall detect partial T1665 Hide Infrastructure
Comments
This capability can detect some traffic related to adversary command and control behavior.
References
azure_firewall Azure Firewall protect partial T1008 Fallback Channels
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
azure_firewall Azure Firewall protect partial T1018 Remote System Discovery
Comments
This control typically filters external network traffic and therefore can be effective for preventing external remote system discovery but such activity originating from inside the trusted network is not mitigated. Due to this partial protection coverage, it has been scored as Partial protection.
References
azure_firewall Azure Firewall protect partial T1046 Network Service Discovery
Comments
This control typically filters external network traffic and therefore can be effective for preventing external network service scanning but network service scanning originating from inside the trusted network is not mitigated. Due to this partial protection coverage, it has been scored as Partial protection.
References
azure_firewall Azure Firewall protect partial T1048 Exfiltration Over Alternative Protocol
Comments
This control provides partial protection for this technique's sub-techniques and some of its procedure examples resulting in an overall Partial score.
References
azure_firewall Azure Firewall protect partial T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
azure_firewall Azure Firewall protect partial T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
azure_firewall Azure Firewall protect partial T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
azure_firewall Azure Firewall protect partial T1071.005 Publish/Subscribe Protocols
Comments
This control can filter network traffic on ports associated with this technique.
References
azure_firewall Azure Firewall protect partial T1095 Non-Application Layer Protocol
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score. Furthermore, it can be used to filter non-application layer protocol traffic such as ICMP.
References
azure_firewall Azure Firewall protect partial T1133 External Remote Services
Comments
This control can limit access to external remote services to the minimum necessary.
References
azure_firewall Azure Firewall protect partial T1204 User Execution
Comments
This control provides partial protection for this technique.
References
azure_firewall Azure Firewall protect partial T1204.003 Malicious Image
Comments
This control can prevent malicious downloads associated with this technique.
References
azure_firewall Azure Firewall protect partial T1205 Traffic Signaling
Comments
This control provides partial protection for this technique's sub-techniques and procedure examples resulting in a Partial score.
References
azure_firewall Azure Firewall protect partial T1205.001 Port Knocking
Comments
This control can protect against this sub-technique by enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the firewall service level. This service typically applies to external traffic and not internal traffic and therefore lateral movement using this technique within a network is still possible. Due to this partial coverage, it has been scored as Partial.
References
azure_firewall Azure Firewall protect partial T1205.002 Socket Filters
Comments
This control can protect against some variations of this technique.
References
azure_firewall Azure Firewall protect partial T1219 Remote Access Software
Comments
This control can be used to limit outgoing traffic to only sites and services used by authorized remote access tools. This is scored as partial because it doesn't protect against an adversary using an authorized remote access tool for malicious activity.
References
azure_firewall Azure Firewall protect partial T1567.003 Exfiltration to Text Storage Sites
Comments
This control can protect from exfiltration to text storage site by blocking unauthorized sites.
References
azure_firewall Azure Firewall protect partial T1590 Gather Victim Network Information
Comments
This control can prevent the gathering of victim network information via scanning methods but is not effective against methods such as Phishing resulting in a Partial coverage score and an overall Partial score.
References
azure_firewall Azure Firewall protect partial T1590.004 Network Topology
Comments
This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.
References
azure_firewall Azure Firewall protect partial T1590.005 IP Addresses
Comments
This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.
References
azure_firewall Azure Firewall protect partial T1590.006 Network Security Appliances
Comments
This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.
References
azure_firewall Azure Firewall protect partial T1595 Active Scanning
Comments
This control provides Partial protection for its sub-techniques resulting in an overall Partial score.
References
azure_firewall Azure Firewall protect partial T1595.001 Scanning IP Blocks
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
azure_firewall Azure Firewall protect partial T1595.002 Vulnerability Scanning
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
azure_firewall Azure Firewall protect partial T1595.003 Wordlist Scanning
Comments
This control monitors for accesses of potentially sensitive web pages from source IP addresses whose access pattern resembles that of a web scanner or have not been logged before. Temporal factor is unknown.
References
azure_firewall Azure Firewall protect significant T1557.003 DHCP Spoofing
Comments
This control can protect against DHCP spoofing by restricting DHCP traffic to trusted DHCP servers.
References
azure_firewall Azure Firewall protect significant T1571 Non-Standard Port
Comments
This control can limit access to the minimum required ports and therefore protect against adversaries attempting to use non-standard ports for C2 traffic.
References
azure_key_vault Azure Key Vault protect minimal T1040 Network Sniffing
Comments
This control provides secure methods for accessing secrets and passwords. This can reduce the incidences of credentials and other authentication material being transmitted in plain text or by insecure encryption methods. Any communication between applications or endpoints after access to Key Vault may not be secure.
References
azure_key_vault Azure Key Vault protect partial T1528 Steal Application Access Token
Comments
This control can provide protection against attackers stealing application access tokens if they are stored within Azure Key Vault. Key vault significantly raises the bar for access for stored tokens by requiring legitimate credentials with proper authorization. Applications may have to be modified to take advantage of Key Vault and may not always be possible to utilize.
References
azure_key_vault Azure Key Vault protect partial T1552 Unsecured Credentials
Comments
This control provides a central, secure location for storage of credentials to reduce the possibility of attackers discovering unsecured credentials.
References
azure_key_vault Azure Key Vault protect partial T1555 Credentials from Password Stores
Comments
This control may provide a more secure location for storing passwords. If an Azure user account, endpoint, or application is compromised, they may have limited access to passwords stored in the Key Vault.
References
azure_key_vault Azure Key Vault protect partial T1555.006 Cloud Secrets Management Stores
Comments
This control may provide a more secure location for storing passwords. If an Azure user account, endpoint, or application is compromised, they may have limited access to passwords stored in the Key Vault.
References
azure_network_security_groups Azure Network Security Groups protect minimal T1542 Pre-OS Boot
azure_network_security_groups Azure Network Security Groups protect partial T1021 Remote Services
azure_network_security_groups Azure Network Security Groups protect partial T1021.001 Remote Desktop Protocol
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
azure_network_security_groups Azure Network Security Groups protect partial T1021.002 SMB/Windows Admin Shares
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
azure_network_security_groups Azure Network Security Groups protect partial T1021.003 Distributed Component Object Model
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
azure_network_security_groups Azure Network Security Groups protect partial T1021.004 SSH
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
azure_network_security_groups Azure Network Security Groups protect partial T1021.005 VNC
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
azure_network_security_groups Azure Network Security Groups protect partial T1021.006 Windows Remote Management
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
azure_network_security_groups Azure Network Security Groups protect partial T1021.007 Cloud Services
Comments
This control can protect against abuse of remote cloud services.
References
azure_network_security_groups Azure Network Security Groups protect partial T1021.008 Direct Cloud VM Connections
Comments
This control can protect against abuse of direct cloud VM connections.
References
azure_network_security_groups Azure Network Security Groups protect partial T1046 Network Service Discovery
azure_network_security_groups Azure Network Security Groups protect partial T1072 Software Deployment Tools
azure_network_security_groups Azure Network Security Groups protect partial T1090 Proxy
Comments
This control can restrict ports and inter-system / inter-enclave connections as described by the Proxy related sub-techniques although it doesn't provide protection for domain-fronting. It furthermore provides partial protection of this technique's procedure examples resulting in an overall Partial score.
References
azure_network_security_groups Azure Network Security Groups protect partial T1090.001 Internal Proxy
Comments
This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
References
azure_network_security_groups Azure Network Security Groups protect partial T1090.002 External Proxy
Comments
This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
References
azure_network_security_groups Azure Network Security Groups protect partial T1090.003 Multi-hop Proxy
Comments
This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
References
azure_network_security_groups Azure Network Security Groups protect partial T1095 Non-Application Layer Protocol
azure_network_security_groups Azure Network Security Groups protect partial T1133 External Remote Services
Comments
This control can be used to restrict direct access to remote service gateways and concentrators that typically accompany external remote services. This can be circumvented though if an adversary is able to compromise a trusted host and use it to access the external remote service. This results in an overall partial (coverage) score.
References
azure_network_security_groups Azure Network Security Groups protect partial T1199 Trusted Relationship
Comments
This control can isolate portions of network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate.
References
azure_network_security_groups Azure Network Security Groups protect partial T1205 Traffic Signaling
Comments
This control provides partial protection for this technique's sub-techniques and procedure examples resulting in an overall Partial score. Other variations that trigger a special response, such as executing a malicous task are not mitigated by this control.
References
azure_network_security_groups Azure Network Security Groups protect partial T1210 Exploitation of Remote Services
azure_network_security_groups Azure Network Security Groups protect partial T1219 Remote Access Software
azure_network_security_groups Azure Network Security Groups protect partial T1482 Domain Trust Discovery
azure_network_security_groups Azure Network Security Groups protect partial T1498 Network Denial of Service
azure_network_security_groups Azure Network Security Groups protect partial T1499 Endpoint Denial of Service
azure_network_security_groups Azure Network Security Groups protect partial T1499.001 OS Exhaustion Flood
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
azure_network_security_groups Azure Network Security Groups protect partial T1499.002 Service Exhaustion Flood
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
azure_network_security_groups Azure Network Security Groups protect partial T1499.003 Application Exhaustion Flood
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
azure_network_security_groups Azure Network Security Groups protect partial T1542.005 TFTP Boot
Comments
This control can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.
References
azure_network_security_groups Azure Network Security Groups protect partial T1557 Adversary-in-the-Middle
azure_network_security_groups Azure Network Security Groups protect partial T1570 Lateral Tool Transfer
azure_network_security_groups Azure Network Security Groups protect partial T1602 Data from Configuration Repository
azure_network_security_groups Azure Network Security Groups protect partial T1602.001 SNMP (MIB Dump)
Comments
Can limit access to client management interfaces or configuration databases
References
azure_network_security_groups Azure Network Security Groups protect partial T1602.002 Network Device Configuration Dump
Comments
Can limit access to client management interfaces or configuration databases
References
azure_network_security_groups Azure Network Security Groups protect partial T1659 Content Injection
azure_network_security_groups Azure Network Security Groups protect significant T1048 Exfiltration Over Alternative Protocol
azure_network_security_groups Azure Network Security Groups protect significant T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Comments
This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.
References
azure_network_security_groups Azure Network Security Groups protect significant T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Comments
This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.
References
azure_network_security_groups Azure Network Security Groups protect significant T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
Comments
This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.
References
azure_network_security_groups Azure Network Security Groups protect significant T1205.001 Port Knocking
Comments
This control can be used to implement whitelist based network rules that can mitigate variations of this sub-techniques that result in opening closed ports for communication. Because this control is able to drop traffic before reaching a compromised host, it can effectively mitigate this port knocking sub-technique.
References
azure_network_security_groups Azure Network Security Groups protect significant T1496.002 Bandwidth Hijacking
Comments
This capability can be configured to limit bandwidth available to connections.
References
azure_network_security_groups Azure Network Security Groups protect significant T1571 Non-Standard Port
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect minimal T1542 Pre-OS Boot
Comments
This control can identify anomalous traffic related to one of its sub-techniques (TFTP boot).
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1021 Remote Services
Comments
This control can detect anomalous traffic or attempts related to network security group (NSG) for remote services.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1021.001 Remote Desktop Protocol
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1021.002 SMB/Windows Admin Shares
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1021.003 Distributed Component Object Model
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1021.004 SSH
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1021.005 VNC
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1021.006 Windows Remote Management
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1021.007 Cloud Services
Comments
This control can detect anomalous network traffic associated with abuse of remote cloud services.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1021.008 Direct Cloud VM Connections
Comments
This control can detect direct cloud VM connections.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1048 Exfiltration Over Alternative Protocol
Comments
This control can detect anomalous traffic with respect to specific protocols/ports.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Comments
This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Comments
This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
Comments
This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1071 Application Layer Protocol
Comments
This control can identify anomalous traffic with respect to NSG and application layer protocols.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1071.002 File Transfer Protocols
Comments
This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1071.003 Mail Protocols
Comments
This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1071.004 DNS
Comments
This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1071.005 Publish/Subscribe Protocols
Comments
This control can detect anomalous application protocol traffic related to this technique.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1072 Software Deployment Tools
Comments
This control can detect anomalous traffic with respect to critical systems and software deployment ports.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1090 Proxy
Comments
This control can detect anomalous traffic between systems and external networks.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1090.001 Internal Proxy
Comments
This control can detect abuse of internal proxies.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1090.002 External Proxy
Comments
This control can detect abuse of external proxies.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1090.003 Multi-hop Proxy
Comments
This control can detect abuse of multi-hop proxies.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1133 External Remote Services
Comments
This control can identify anomalous access to external remote services.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1189 Drive-by Compromise
Comments
This capability can detect suspicious script execution over a network.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1190 Exploit Public-Facing Application
Comments
This control can detect anomalous traffic to and from externally facing systems with respect to network security group (NSG) policy.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1199 Trusted Relationship
Comments
This control can be used to gain insight into normal traffic from trusted third parties which can then be used to detect anomalous traffic that may be indicative of a threat.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1204 User Execution
Comments
This control can detect network traffic associated with this technique.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1219 Remote Access Software
Comments
This control can detect network traffic associated with this technique.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1496.002 Bandwidth Hijacking
Comments
This capability can detect anomalous network traffic indicative of bandwidth hijacking.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1499 Endpoint Denial of Service
Comments
This control can identify volumetric and multi-sourced denial-of-service attacks.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1499.001 OS Exhaustion Flood
Comments
This control can detect endpoint denial of service attacks.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1499.002 Service Exhaustion Flood
Comments
This control can detect endpoint denial of service attacks.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1499.003 Application Exhaustion Flood
Comments
This control can detect endpoint denial of service attacks.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1542.005 TFTP Boot
Comments
This control can be used to identify anomalous TFTP boot traffic.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1563 Remote Service Session Hijacking
Comments
This control can be used to identify anomalous traffic related to RDP and SSH sessions or blocked attempts to access these management ports.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1563.001 SSH Hijacking
Comments
This control can detect SSH hijacking.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1563.002 RDP Hijacking
Comments
This control can detect RDP hijacking.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1602 Data from Configuration Repository
Comments
This control can identify anomalous traffic with respect to configuration repositories or identified configuration management ports.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1602.001 SNMP (MIB Dump)
Comments
This control can detect collection from configuration repositories.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect partial T1602.002 Network Device Configuration Dump
Comments
This control can detect collection from configuration repositories.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect significant T1046 Network Service Discovery
Comments
This control can detect network service scanning/discovery activity.
References
azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics detect significant T1571 Non-Standard Port
Comments
This control can identify anomalous traffic that utilizes non-standard application ports.
References
azure_policy Azure Policy detect minimal T1525 Implant Internal Image
Comments
This control may provide recommendations to enable scanning and auditing of container images. This can provide information on images that have been added with high privileges or vulnerabilities.
References
azure_policy Azure Policy protect minimal T1021 Remote Services
azure_policy Azure Policy protect minimal T1021.001 Remote Desktop Protocol
Comments
This control may provide recommendations to restrict public access to Remote Desktop Protocol.
References
azure_policy Azure Policy protect minimal T1021.004 SSH
Comments
This control may provide recommendations to restrict public SSH access and enable usage of SSH keys.
References
azure_policy Azure Policy protect minimal T1068 Exploitation for Privilege Escalation
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
azure_policy Azure Policy protect minimal T1071 Application Layer Protocol
azure_policy Azure Policy protect minimal T1071.004 DNS
Comments
This control may provide recommendations to enable Azure Defender for DNS which can monitor DNS queries between Azure applications for malicious traffic.
References
azure_policy Azure Policy protect minimal T1078 Valid Accounts
azure_policy Azure Policy protect minimal T1078.004 Cloud Accounts
Comments
This control may provide recommendations to audit and restrict privileges on Azure cloud accounts. This control may provide information to reduce surface area for privileged access to Azure.
References
azure_policy Azure Policy protect minimal T1098 Account Manipulation
azure_policy Azure Policy protect minimal T1098.001 Additional Cloud Credentials
Comments
This control may recommend removing deprecated accounts, reducing privileges, and enabling multi-factor authentication. This can reduce the amount of accounts available to be exploited and what could be done with those accounts.
References
azure_policy Azure Policy protect minimal T1203 Exploitation for Client Execution
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
azure_policy Azure Policy protect minimal T1210 Exploitation of Remote Services
Comments
This control may provide recommendations to enable Azure security controls to harden remote services and reduce surface area for possible exploitation.
References
azure_policy Azure Policy protect minimal T1211 Exploitation for Defense Evasion
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
azure_policy Azure Policy protect minimal T1212 Exploitation for Credential Access
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
azure_policy Azure Policy protect minimal T1485 Data Destruction
Comments
This control may provide recommendations to enable soft deletion and purge protection in Azure Key Vault. This can help mitigate against malicious deletion of keys and secrets stored within Key Vault.
References
azure_policy Azure Policy protect minimal T1485.001 Lifecycle-Triggered Deletion
Comments
This control may provide recommendations that protect from lifecycle-triggered deletion.
References
azure_policy Azure Policy protect minimal T1505 Server Software Component
Comments
This control can protect against abuse of server software components for persistence.
References
azure_policy Azure Policy protect minimal T1505.001 SQL Stored Procedures
Comments
This control may provide recommendations to enable other Azure controls that provide information on potentially exploitable SQL stored procedures. Recommendations to reduce unnecessary privileges from accounts and stored procedures can mitigate exploitable of this technique.
References
azure_policy Azure Policy protect minimal T1537 Transfer Data to Cloud Account
Comments
This control may provide recommendations to enable security controls that monitor and prevent malicious transfer of data to cloud accounts.
References
azure_policy Azure Policy protect partial T1021.007 Cloud Services
Comments
This control can protect against abuse of remote cloud services.
References
azure_policy Azure Policy protect partial T1021.008 Direct Cloud VM Connections
Comments
This control can protect against abuse of direct cloud VM connections.
References
azure_policy Azure Policy protect partial T1040 Network Sniffing
Comments
This control may provide recommendations to enable various Azure services that route traffic through secure networks, segment all network traffic, and enable TLS encryption where available.
References
azure_policy Azure Policy protect partial T1110 Brute Force
azure_policy Azure Policy protect partial T1110.001 Password Guessing
Comments
This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.
References
azure_policy Azure Policy protect partial T1110.003 Password Spraying
Comments
This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.
References
azure_policy Azure Policy protect partial T1110.004 Credential Stuffing
Comments
This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.
References
azure_policy Azure Policy protect partial T1133 External Remote Services
Comments
This control may provide recommendations to secure external remote services, such as restricting SSH access, enabling multi-factor authentication for VPN access, and auditing external remote services that are not necessary or updated.
References
azure_policy Azure Policy protect partial T1190 Exploit Public-Facing Application
Comments
This control may provide recommendations to restrict access to applications that are public facing and providing information on vulnerable applications.
References
azure_policy Azure Policy protect partial T1526 Cloud Service Discovery
Comments
This control may provide recommendations to enable Azure services that limit access to cloud services. Several Azure services and controls provide mitigations against cloud service discovery.
References
azure_policy Azure Policy protect partial T1530 Data from Cloud Storage
Comments
This control may provide recommendations to enable Azure Defender for Storage and other security controls to prevent access to data from cloud storage objects.
References
azure_policy Azure Policy protect partial T1535 Unused/Unsupported Cloud Regions
Comments
This control may provide recommendations to restrict the allowed locations your organization can specify when deploying resources or creating resource groups.
References
azure_policy Azure Policy protect partial T1538 Cloud Service Dashboard
Comments
This control may provide recommendations to enable Azure services that limit access to Azure Resource Manager and other Azure dashboards. Several Azure services and controls provide mitigations against this technique.
References
azure_policy Azure Policy protect partial T1555 Credentials from Password Stores
Comments
This control may provide recommendations for auditing and hardening Azure Key Vault to prevent malicious access and segment key access.
References
azure_policy Azure Policy protect partial T1555.006 Cloud Secrets Management Stores
Comments
This control may provide recommendations for auditing and hardening Azure Key Vault to prevent malicious access and segment key access.
References
azure_policy Azure Policy protect partial T1580 Cloud Infrastructure Discovery
Comments
This control may provide recommendations to enable Azure services that limit access to cloud infrastructure. Several Azure services and controls provide mitigations against cloud infrastructure discovery.
References
azure_policy Azure Policy protect partial T1590 Gather Victim Network Information
Comments
This control may provide recommendations to restrict access to cloud resources from public networks and to route traffic between resources through Azure. Recommendations are also provided to use private DNS zones. If these recommendations are implemented the visible network information should be reduced.
References
azure_policy Azure Policy protect partial T1590.002 DNS
Comments
This control can protect against gathering victim networking information.
References
azure_policy Azure Policy protect partial T1590.004 Network Topology
Comments
This control can protect against gathering victim networking information.
References
azure_policy Azure Policy protect partial T1590.005 IP Addresses
Comments
This control can protect against gathering victim networking information.
References
azure_policy Azure Policy protect partial T1590.006 Network Security Appliances
Comments
This control can protect against gathering victim networking information.
References
azure_private_link Azure Private Link protect minimal T1565 Data Manipulation
Comments
This control provides partial protection for one of this technique's sub-techniques resulting in an overall Minimal score.
References
azure_private_link Azure Private Link protect partial T1040 Network Sniffing
Comments
This control reduces the likelihood of a network sniffing attack for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.
References
azure_private_link Azure Private Link protect partial T1498 Network Denial of Service
Comments
Prevents Denial of Service (DOS) against systems that would otherwise need to connect via an internet-traversing path (coverage partial, since doesn't apply to systems that must be directly exposed to the Internet)
References
azure_private_link Azure Private Link protect partial T1498.001 Direct Network Flood
Comments
This control can protect against network denial of service attacks.
References
azure_private_link Azure Private Link protect partial T1498.002 Reflection Amplification
Comments
This control can protect against network denial of service attacks.
References
azure_private_link Azure Private Link protect partial T1499 Endpoint Denial of Service
Comments
Prevents Denial of Service (DOS) against systems that would otherwise need to connect via an internet-traversing path (coverage partial, since doesn't apply to systems that must be directly exposed to the Internet)
References
azure_private_link Azure Private Link protect partial T1499.001 OS Exhaustion Flood
Comments
This control can protect against endpoint denial of service attacks.
References
azure_private_link Azure Private Link protect partial T1499.002 Service Exhaustion Flood
Comments
This control can protect against endpoint denial of service attacks.
References
azure_private_link Azure Private Link protect partial T1499.003 Application Exhaustion Flood
Comments
This control can protect against endpoint denial of service attacks.
References
azure_private_link Azure Private Link protect partial T1499.004 Application or System Exploitation
Comments
This control can protect against endpoint denial of service attacks.
References
azure_private_link Azure Private Link protect partial T1557 Adversary-in-the-Middle
Comments
This control provides partial protection for this technique's sub-techniques resulting in an overall Partial score.
References
azure_private_link Azure Private Link protect partial T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
Comments
This control reduces the likelihood of MiTM for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.
References
azure_private_link Azure Private Link protect partial T1557.002 ARP Cache Poisoning
Comments
This control reduces the likelihood of MiTM for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.
References
azure_private_link Azure Private Link protect partial T1565.002 Transmitted Data Manipulation
Comments
This control reduces the likelihood of data manipulation for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.
References
azure_private_link Azure Private Link protect partial T1659 Content Injection
Comments
This capability provides protection against content inection.
References
azure_role_based_access_control Azure Role-Based Access Control protect minimal T1078 Valid Accounts
Comments
This control only provides protection for one of this technique's sub-techniques while not providing any protection for its procedure examples (due to being specific to Azure AD) nor its remaining sub-technqiues. Consequently its coverage score factor is Minimal, resulting in a Minimal score.
References
azure_role_based_access_control Azure Role-Based Access Control protect minimal T1087 Account Discovery
Comments
This control only provides protection for one of this technique's sub-techniques while not providing any protection for its procedure examples nor its remaining sub-technqiues and therefore its coverage score factor is Minimal, resulting in a Minimal score.
References
azure_role_based_access_control Azure Role-Based Access Control protect minimal T1136 Create Account
Comments
This control only provides protection for one of this technique's sub-techniques while not providing any protection for the remaining and therefore its coverage score factor is Minimal, resulting in a Minimal score.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1078.004 Cloud Accounts
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit what an adversary can do with a valid account.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1087.004 Cloud Account
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the accounts that can be used for account discovery.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1098 Account Manipulation
Comments
This control provides protection for some of this technique's sub-techniques and therefore its coverage score factor is Partial, resulting in a Partial score.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1098.001 Additional Cloud Credentials
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1098.003 Additional Cloud Roles
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1098.006 Additional Container Cluster Roles
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1136.003 Cloud Account
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can create accounts.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1485.001 Lifecycle-Triggered Deletion
Comments
This control can provide protection against life-cycle triggered deletion by restricting access to those functions.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1528 Steal Application Access Token
Comments
This control can be used to limit the number of users that are authorized to grant consent to applications for accessing organizational data. This can reduce the likelihood that a user is fooled into granting consent to a malicious application that then utilizes the user's OAuth access token to access organizational data.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1530 Data from Cloud Storage
Comments
This control can be used to limit the number of users that have access to storage solutions except for the applications, users, and services that require access, thereby reducing the attack surface.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1538 Cloud Service Dashboard
Comments
This control can be used to limit the number of users that have dashboard visibility thereby reducing the attack surface.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1556 Modify Authentication Process
Comments
This control can protect against modification of the authentication process by limiting access.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1578 Modify Cloud Compute Infrastructure
Comments
This control provides partial protection for all of its sub-techniques and therefore its coverage score factor is Partial, resulting in a Partial score.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1578.001 Create Snapshot
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1578.002 Create Cloud Instance
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1578.003 Delete Cloud Instance
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1578.004 Revert Cloud Instance
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1578.005 Modify Cloud Compute Configurations
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
azure_role_based_access_control Azure Role-Based Access Control protect partial T1580 Cloud Infrastructure Discovery
Comments
This control can be used to limit the number of users that have privileges to discover cloud infrastructure thereby reducing an organization's cloud infrastructure attack surface.
References
azure_update_manager Azure Update Manager protect partial T1072 Software Deployment Tools
Comments
This control provides partial coverage of attacks that leverage software flaws in unpatched deployment tools since it enables automated updates of software and rapid configuration change management.
References
azure_update_manager Azure Update Manager protect partial T1189 Drive-by Compromise
Comments
This control protects against a subset of drive-by methods that leverage unpatched client software since it enables automated updates of software and rapid configuration change management
References
azure_update_manager Azure Update Manager protect partial T1190 Exploit Public-Facing Application
Comments
This control provides partial coverage for techniques that exploit vulnerabilities in (common) unpatched software since it enables automated updates of software and rapid configuration change management.
References
azure_update_manager Azure Update Manager protect partial T1195 Supply Chain Compromise
Comments
This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.
References
azure_update_manager Azure Update Manager protect partial T1195.001 Compromise Software Dependencies and Development Tools
Comments
This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.
References
azure_update_manager Azure Update Manager protect partial T1195.002 Compromise Software Supply Chain
Comments
This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.
References
azure_update_manager Azure Update Manager protect partial T1499 Endpoint Denial of Service
Comments
This control provides protection against the subset of Denial of Service (DOS) attacks that leverage system/application vulnerabilities as opposed to volumetric attacks since it enables automated updates of software and rapid configuration change management.
References
azure_update_manager Azure Update Manager protect partial T1554 Compromise Host Software Binary
Comments
This control provides partial protection against compromised client software binaries since it can provide a baseline to compare with potentially compromised/modified software binaries.
References
azure_update_manager Azure Update Manager protect significant T1068 Exploitation for Privilege Escalation
Comments
This control provides significant coverage of methods that leverage vulnerabilities in unpatched software since it enables automated updates of software and rapid configuration change management
References
azure_update_manager Azure Update Manager protect significant T1203 Exploitation for Client Execution
Comments
This control provides significant coverage for Exploitation for client execution methods that leverage unpatched vulnerabilities since it enables automated updates of software and rapid configuration change management.
References
azure_update_manager Azure Update Manager protect significant T1210 Exploitation of Remote Services
Comments
This control provides significant coverage of techniques that leverage vulnerabilities in unpatched remote services since it enables automated updates of software and rapid configuration change management.
References
azure_update_manager Azure Update Manager protect significant T1211 Exploitation for Defense Evasion
Comments
This control provides significant coverage of defensive evasion methods that exploit unpatched vulnerabilities in software/systems since it enables automated updates of software and rapid configuration change management.
References
azure_update_manager Azure Update Manager protect significant T1212 Exploitation for Credential Access
Comments
This control provides significant coverage of credential access techniques that leverage unpatched software vulnerabilities since it enables automated updates of software and rapid configuration change management.
References
azure_update_manager Azure Update Manager protect significant T1499.004 Application or System Exploitation
Comments
This control provides significant protection against Denial of Service (DOS) attacks that leverage system/application vulnerabilities as opposed to volumetric attacks since it enables automated updates of software and rapid configuration change management.
References
azure_vpn_gateway Azure VPN Gateway protect partial T1565 Data Manipulation
Comments
This control provides significant protection against one sub-technique (Transmitted Data Manipulation) of this technique while not providing protection for its remaining sub-techniques resulting in overall score of Partial.
References
azure_vpn_gateway Azure VPN Gateway protect significant T1040 Network Sniffing
Comments
This control encrypts traffic traversing over untrusted networks which can prevent information from being gathered via network sniffing.
References
azure_vpn_gateway Azure VPN Gateway protect significant T1557 Adversary-in-the-Middle
Comments
This control can mitigate Man-in-the-Middle attacks that manipulate network protocol data in transit.
References
azure_vpn_gateway Azure VPN Gateway protect significant T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
Comments
This control can protect against adversary in the middle attacks.
References
azure_vpn_gateway Azure VPN Gateway protect significant T1557.002 ARP Cache Poisoning
Comments
This control can protect against adversary in the middle attacks.
References
azure_vpn_gateway Azure VPN Gateway protect significant T1565.002 Transmitted Data Manipulation
Comments
This control can protect against transmitted data manipulation.
References
azure_vpn_gateway Azure VPN Gateway protect significant T1659 Content Injection
Comments
This capability can mitigate content injection attacks that manipulate data in transit.
References
azure_web_application_firewall Azure Web Application Firewall detect minimal T1071 Application Layer Protocol
Comments
This control can detect one of the sub-techniques of this technique while not providing detection for the remaining, resulting in a Minimal overall score.
References
azure_web_application_firewall Azure Web Application Firewall protect minimal T1071 Application Layer Protocol
Comments
This control can protect against one of the sub-techniques of this technique while not providing protection for the remaining, resulting in a Minimal overall score.
References
azure_web_application_firewall Azure Web Application Firewall detect partial T1046 Network Service Discovery
Comments
This control can detect network service scanning of web applications by an adversary. Because this detection is specific to web applications (although frequent targets) and not other application types enumerated in the procedure examples of this technique (e.g. Active Directory), it has been scored as Partial.
References
azure_web_application_firewall Azure Web Application Firewall detect partial T1071.001 Web Protocols
Comments
This control can detect protocol attacks targeting web applications that may be indicative of adversary activity.
References
azure_web_application_firewall Azure Web Application Firewall detect partial T1595.002 Vulnerability Scanning
Comments
This control can detect active scanning.
References
azure_web_application_firewall Azure Web Application Firewall protect partial T1046 Network Service Discovery
Comments
This control can protect web applications from network service scanning by an adversary. Because this protection is specific to web applications (although frequent targets) and not other application types enumerated in the procedure examples of this technique (e.g. Active Directory), it has been scored as Partial.
References
azure_web_application_firewall Azure Web Application Firewall protect partial T1071.001 Web Protocols
Comments
This control can protect web applications from protocol attacks that may be indicative of adversary activity.
References
azure_web_application_firewall Azure Web Application Firewall protect partial T1595 Active Scanning
Comments
This control can protect web applications from active scanning by an adversary. Because this protection is specific to web applications (although frequent targets) and not other application types, it has been scored as Partial.
References
azure_web_application_firewall Azure Web Application Firewall protect partial T1595.002 Vulnerability Scanning
Comments
Focuses on web vulnerability scanning of OWASP Core Rule Set (CRS).
References
azure_web_application_firewall Azure Web Application Firewall protect partial T1595.003 Wordlist Scanning
Comments
This control can detect active scanning.
References
azure_web_application_firewall Azure Web Application Firewall detect significant T1190 Exploit Public-Facing Application
Comments
This control can detect common web application attack vectors.
References
azure_web_application_firewall Azure Web Application Firewall protect significant T1190 Exploit Public-Facing Application
Comments
This control can protect web applications from common attacks (e.g. SQL injection, XSS).
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1003 OS Credential Dumping
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1003.001 LSASS Memory
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, so score is Minimal.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1005 Data from Local System
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Exfiltration modules on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1012 Query Registry
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1027 Obfuscated Files or Information
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1027.005 Indicator Removal from Tools
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Find-AVSignature AntivirusBypass module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1036 Masquerading
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1047 Windows Management Instrumentation
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Invoke-WmiCommand module, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1053 Scheduled Task/Job
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1053.005 Scheduled Task
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the New-UserPersistenceOption Persistence module on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1056 Input Capture
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1056.001 Keylogging
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-Keystrokes Exfiltration module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1057 Process Discovery
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-ProcessTokenPrivilege PowerUp module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1059 Command and Scripting Interpreter
Comments
This control provides minimal detection for this technique's procedure examples and only two of its sub-techniques (only certain specific sub-technique behaviors), resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1059.001 PowerShell
Comments
This control monitors for execution of known malicious PowerShell PowerSploit cmdlets. Temporal factor is uknown.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1059.004 Unix Shell
Comments
This control monitors host data for potential reverse shells used for command and control. Temporal factor is unknown.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1087 Account Discovery
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1087.001 Local Account
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-ProcessTokenGroup module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1113 Screen Capture
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-TimedScreenshot module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1123 Audio Capture
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-MicrophoneAudio module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1134 Access Token Manipulation
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Invoke-TokenManipulation module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1204 User Execution
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1204.001 Malicious Link
Comments
This control monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin, all of which are relevant for detecting users' interactions with malicious download links, but malicious links which exploit browser vulnerabilities for execution are unlikely to be detected, and temporal factor is unknown, resulting in a score of Minimal.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1482 Domain Trust Discovery
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-NetDomainTrust and Get-NetForestTrust modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1543 Create or Modify System Process
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1543.003 Windows Service
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Privesc-PowerUp modules on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1547 Boot or Logon Autostart Execution
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1547.001 Registry Run Keys / Startup Folder
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via New-UserPersistenceOption on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1547.005 Security Support Provider
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Install-SSP module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1552 Unsecured Credentials
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1552.002 Credentials in Registry
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and RegistryAutoLogon modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1552.006 Group Policy Preferences
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1555 Credentials from Password Stores
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the PowerSploit Exfiltration modules on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1558 Steal or Forge Kerberos Tickets
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1558.003 Kerberoasting
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Invoke-Kerberoast module, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1574 Hijack Execution Flow
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1574.001 DLL Search Order Hijacking
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1574.007 Path Interception by PATH Environment Variable
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1574.008 Path Interception by Search Order Hijacking
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1574.009 Path Interception by Unquoted Path
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect minimal T1595 Active Scanning
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service protect minimal T1566 Phishing
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service protect minimal T1566.002 Spearphishing Link
Comments
This control monitors for known phishing links on the Azure App Services website and generates alerts if they are detected, potentially preventing their access by users. This is a very specific avenue, only covers known links, and temporal factor is unknown, resulting in a Minimal score.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service protect minimal T1584 Compromise Infrastructure
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1036.005 Match Legitimate Name or Location
Comments
This control analyzes host data to detect processes with suspicious names, including those named in a way that is suggestive of attacker tools that try to hide in plain sight. False positives are probable, and temporal factor is unknown.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1055 Process Injection
Comments
This control's Fileless Attack Detection covers all relevant sub-techniques. The control also specifically detects process hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1055.001 Dynamic-link Library Injection
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1055.002 Portable Executable Injection
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1055.003 Thread Execution Hijacking
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1055.004 Asynchronous Procedure Call
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1055.005 Thread Local Storage
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1055.008 Ptrace System Calls
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1055.009 Proc Memory
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1055.011 Extra Window Memory Injection
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1055.012 Process Hollowing
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1055.013 Process Doppelgänging
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1055.014 VDSO Hijacking
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1068 Exploitation for Privilege Escalation
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1105 Ingress Tool Transfer
Comments
This control detects binary downloads via certutil, monitors for FTP access from IP addresses found in threat intelligence, monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin. Temporal factor is unknown.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1140 Deobfuscate/Decode Files or Information
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1189 Drive-by Compromise
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected into browser or other process memory as part of a drive-by attack. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1190 Exploit Public-Facing Application
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected to exploit a vulnerability in a public-facing application. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1203 Exploitation for Client Execution
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1210 Exploitation of Remote Services
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected to exploit a vulnerability in an exposed service. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1211 Exploitation for Defense Evasion
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1212 Exploitation for Credential Access
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1496 Resource Hijacking
Comments
This control detects file downloads associated with digital currency mining as well as host data related to process and command execution associated with mining. It also includes fileless attack detection, which specifically targets crypto mining activity. Temporal factor is unknown.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1496.001 Compute Hijacking
Comments
This control detects file downloads associated with digital currency mining as well as host data related to process and command execution associated with mining. It also includes fileless attack detection, which specifically targets crypto mining activity. Temporal factor is unknown.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1496.004 Cloud Service Hijacking
Comments
This control detects file downloads associated with digital currency mining as well as host data related to process and command execution associated with mining. It also includes fileless attack detection, which specifically targets crypto mining activity. Temporal factor is unknown.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1559 Inter-Process Communication
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1559.001 Component Object Model
Comments
This control's Fileless Attack Detection identifies suspicious command execution within process memory. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1559.002 Dynamic Data Exchange
Comments
This control's Fileless Attack Detection identifies suspicious command execution within process memory. Detection is periodic at an unknown rate.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1594 Search Victim-Owned Websites
Comments
This control monitors for accesses of potentially sensitive web pages from source IP addresses whose access pattern resembles that of a web scanner or have not been logged before. Temporal factor is unknown.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1595.002 Vulnerability Scanning
Comments
This control monitors for web fingerprinting tools including nmap and Blind Elephant, as well as scanners looking for vulnerability in applications like Drupal, Joomla, and WordPress. Temporal factor is unknown.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1595.003 Wordlist Scanning
Comments
This control can protect web applications from active scanning by an adversary. Because this protection is specific to web applications (although frequent targets) and not other application types, it has been scored as Partial.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service detect partial T1620 Reflective Code Loading
Comments
This capability analyzes host data to detect processes with suspicious attributes, including those created anonymously.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service protect partial T1027.006 HTML Smuggling
Comments
This control can protect against HTML smuggling.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service protect partial T1027.007 Dynamic API Resolution
Comments
This control can protect against abuse of dynamic API resolution.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service protect partial T1027.009 Embedded Payloads
Comments
This control can protect against embedded payloads.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service protect partial T1027.010 Command Obfuscation
Comments
This control can protect against command obfuscation attacks.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service protect partial T1027.013 Encrypted/Encoded File
Comments
This control can protect against obsfucation via encrypted/encoded files.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service protect partial T1027.014 Polymorphic Code
Comments
This control can protect against obsfucation via polymorphic code.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service protect partial T1648 Serverless Execution
Comments
This capability can protect against abuse of Azure Functions.
References
defender_for_app_service Microsoft Defender for Cloud: Defender for App Service protect significant T1584.001 Domains
Comments
Subdomain hijacking is a focus of this control, and its Dangling DNS detection alert feature is activated when an App Service website is decommissioned and its corresponding DNS entry is not deleted, allowing users to remove those entries before they can be leveraged by an adversary.
References
defender_for_azure_sql_databases Microsoft Defender for Azure SQL Databases protect minimal T1078 Valid Accounts
Comments
This control can protect against abuse of valid accounts.
References
defender_for_azure_sql_databases Microsoft Defender for Azure SQL Databases protect minimal T1112 Modify Registry
Comments
This control may scan for any stored procedures that can access the Registry and checks that permission to execute those stored procedures have been revoked from all users (other than dbo).
References
defender_for_azure_sql_databases Microsoft Defender for Azure SQL Databases protect minimal T1190 Exploit Public-Facing Application
Comments
This control provides recommendations to patch if SQL server is out of date and to disable unneeded features to reduce exploitable surface area.
References
defender_for_azure_sql_databases Microsoft Defender for Azure SQL Databases protect minimal T1505 Server Software Component
Comments
This control can protect against abuse of server software components for persistence.
References
defender_for_azure_sql_databases Microsoft Defender for Azure SQL Databases protect partial T1068 Exploitation for Privilege Escalation
Comments
This control may scan for users with unnecessary permissions and if SQL Server is out of date.
References
defender_for_azure_sql_databases Microsoft Defender for Azure SQL Databases protect partial T1078.001 Default Accounts
Comments
This control may provide recommendations to disable default accounts and restrict permissions for existing accounts.
References
defender_for_azure_sql_databases Microsoft Defender for Azure SQL Databases protect partial T1505.001 SQL Stored Procedures
Comments
This control may scan for users with unnecessary access to SQL stored procedures.
References
defender_for_containers Microsoft Defender for Containers protect minimal T1068 Exploitation for Privilege Escalation
Comments
This control may provide recommendations to avoid privileged containers and running containers as root.
References
defender_for_containers Microsoft Defender for Containers protect minimal T1190 Exploit Public-Facing Application
Comments
This control may provide provide information about vulnerabilities within container images. The limited scope of containers and registries that are applicable to this control contribute to the lower score.
References
defender_for_containers Microsoft Defender for Containers detect partial T1053.007 Container Orchestration Job
Comments
This control can detect when containers are created.
References
defender_for_containers Microsoft Defender for Containers detect partial T1068 Exploitation for Privilege Escalation
Comments
This control may alert on detection of new privileged containers and high privilege roles.
References
defender_for_containers Microsoft Defender for Containers detect partial T1070 Indicator Removal
Comments
This control may alert on deletion of Kubernetes events. Attackers might delete those events for hiding their operations in the cluster. There is no relevant sub-technique for this control but the parent applies.
References
defender_for_containers Microsoft Defender for Containers detect partial T1098.006 Additional Container Cluster Roles
Comments
This control can detect when changes are made to containers that indicate account manipulation.
References
defender_for_containers Microsoft Defender for Containers detect partial T1204 User Execution
Comments
This control can detect container behavior associated with this technique.
References
defender_for_containers Microsoft Defender for Containers detect partial T1204.003 Malicious Image
Comments
This capability can detect when containers are created or started.
References
defender_for_containers Microsoft Defender for Containers detect partial T1525 Implant Internal Image
Comments
This control may scan and alert on import or creation of container images with known vulnerabilities or a possible expanded surface area for exploitation.
References
defender_for_containers Microsoft Defender for Containers detect partial T1525 Implant Internal Image
Comments
This control may alert on containers with sensitive volume mounts, unneeded privileges, or running an image with digital currency mining software.
References
defender_for_containers Microsoft Defender for Containers detect partial T1611 Escape to Host
Comments
This capability can detect escape to host.
References
defender_for_containers Microsoft Defender for Containers detect partial T1612 Build Image on Host
Comments
This capability can detect building a container image on the host.
References
defender_for_containers Microsoft Defender for Containers protect partial T1190 Exploit Public-Facing Application
Comments
This control may alert on publicly exposed Kubernetes services. This may provide context on services that should be patched or hardened for public access.
References
defender_for_containers Microsoft Defender for Containers protect partial T1525 Implant Internal Image
Comments
This control may prevent adversaries from implanting malicious container images through fine grained permissions and use of container image tag signing. Image tag signing allows for verifiable container images that have been signed with legitimate keys.
References
defender_for_containers Microsoft Defender for Containers protect partial T1552.007 Container API
Comments
This capability can be integrated with others to secure credentials.
References
defender_for_containers Microsoft Defender for Containers protect partial T1611 Escape to Host
Comments
This capability can protect against escape to host attacks.
References
defender_for_containers Microsoft Defender for Containers protect partial T1612 Build Image on Host
Comments
This capability can protect against building a container image on the host.
References
defender_for_containers Microsoft Defender for Containers detect significant T1609 Container Administration Command
Comments
This capability can detect abuse of container administration services.
References
defender_for_containers Microsoft Defender for Containers detect significant T1610 Deploy Container
Comments
This capability can detect unauthorized deployment of containers.
References
defender_for_containers Microsoft Defender for Containers detect significant T1613 Container and Resource Discovery
Comments
This capability can detect container discovery.
References
defender_for_containers Microsoft Defender for Containers detect significant T1619 Cloud Storage Object Discovery
Comments
This capability can detect cloud storage object (blob) discovery.
References
defender_for_containers Microsoft Defender for Containers protect significant T1609 Container Administration Command
Comments
This capability can protect against abuse of container administration services.
References
defender_for_containers Microsoft Defender for Containers protect significant T1610 Deploy Container
Comments
This capability can protect against unauthorized deployment of containers.
References
defender_for_containers Microsoft Defender for Containers protect significant T1613 Container and Resource Discovery
Comments
This capability can protect against container discovery.
References
defender_for_containers Microsoft Defender for Containers protect significant T1619 Cloud Storage Object Discovery
Comments
This capability can protect against cloud object storage (blob) discovery.
References
defender_for_key_vault Microsoft Defender for Key Vault detect minimal T1580 Cloud Infrastructure Discovery
Comments
This control may alert on suspicious access of key vaults, including suspicious listing of key vault contents. This control does not alert on discovery of other cloud services, such as VMs, snapshots, cloud storage and therefore has minimal coverage. Suspicious activity based on patterns of access from certain users and applications allows for managing false positive rates.
References
defender_for_key_vault Microsoft Defender for Key Vault detect partial T1555 Credentials from Password Stores
defender_for_key_vault Microsoft Defender for Key Vault detect partial T1555.006 Cloud Secrets Management Stores
Comments
This control may detect suspicious secret access from Azure key vaults.
References
defender_for_open_source_databases Microsoft Defender for Open-Source Relational Databases detect partial T1110 Brute Force
Comments
This control can detect attempted or successful brute force attacks.
References
defender_for_open_source_databases Microsoft Defender for Open-Source Relational Databases detect partial T1190 Exploit Public-Facing Application
Comments
This control can detect artifacts of common exploit traffic.
References
defender_for_open_source_databases Microsoft Defender for Open-Source Relational Databases detect partial T1213 Data from Information Repositories
Comments
This control can detect suspicious login activity.
References
defender_for_open_source_databases Microsoft Defender for Open-Source Relational Databases detect partial T1580 Cloud Infrastructure Discovery
Comments
This control can detect unusual activity related to cloud data object storage enumeration.
References
defender_for_open_source_databases Microsoft Defender for Open-Source Relational Databases detect partial T1595 Active Scanning
Comments
This control can detect traffic patterns and packet inspection associated to protocols that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows).
References
defender_for_resource_manager Microsoft Defender for Resource Manager detect minimal T1068 Exploitation for Privilege Escalation
Comments
This control may alert on escalation attempts from Azure AD to Azure accounts by specific exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score. The following alerts may be generated: "PowerZure exploitation toolkit used to elevate access from Azure AD to Azure".
References
defender_for_resource_manager Microsoft Defender for Resource Manager detect minimal T1069 Permission Groups Discovery
Comments
This control may alert on Azure domain cloud groups discovery activity but may not provide alerts for other account types or undocumented exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
References
defender_for_resource_manager Microsoft Defender for Resource Manager detect minimal T1087 Account Discovery
Comments
This control may alert on Azure cloud account discovery activity but may not provide alerts for other account types or undocumented exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
References
defender_for_resource_manager Microsoft Defender for Resource Manager detect minimal T1555 Credentials from Password Stores
Comments
This control may alert on credential dumping from Azure Key Vaults, App Services Configurations, and Automation accounts by specific exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score. The following alerts may be generated: "MicroBurst exploitation toolkit used to extract secrets from your Azure key vaults", "MicroBurst exploitation toolkit used to extract keys to your storage accounts".
References
defender_for_resource_manager Microsoft Defender for Resource Manager detect minimal T1562 Impair Defenses
Comments
This control may alert on Windows Defender security features being disabled but does not alert on other security tools or logging being disabled or tampered with. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
References
defender_for_resource_manager Microsoft Defender for Resource Manager detect partial T1069.003 Cloud Groups
Comments
This control may alert on Permission Groups Discovery of Cloud Groups activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
References
defender_for_resource_manager Microsoft Defender for Resource Manager detect partial T1087.004 Cloud Account
Comments
This control may alert on Account Discovery of Cloud Accounts activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
References
defender_for_resource_manager Microsoft Defender for Resource Manager detect partial T1526 Cloud Service Discovery
Comments
This control may alert on Cloud Service Discovery activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions".
References
defender_for_resource_manager Microsoft Defender for Resource Manager detect partial T1538 Cloud Service Dashboard
Comments
This control may alert on suspicious management activity based on IP, time, anomalous behaviour, or PowerShell usage. Machine learning algorithms are used to reduce false positives. The following alerts may be generated: "Activity from a risky IP address", "Activity from infrequent country", "Impossible travel activity", "Suspicious management session using PowerShell detected", "Suspicious management session using an inactive account detected", "Suspicious management session using Azure portal detected".
References
defender_for_resource_manager Microsoft Defender for Resource Manager detect partial T1562.001 Disable or Modify Tools
Comments
The following alerts are available for Windows Defender security features being disabled but none for third party security tools: "Antimalware broad files exclusion in your virtual machine", "Antimalware disabled and code execution in your virtual machine", "Antimalware disabled in your virtual machine", "Antimalware file exclusion and code execution in your virtual machine", "Antimalware file exclusion in your virtual machine", "Antimalware real-time protection was disabled in your virtual machine", "Antimalware real-time protection was disabled temporarily in your virtual machine", "Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine", "Antimalware temporarily disabled in your virtual machine", "Antimalware unusual file exclusion in your virtual machine".
References
defender_for_resource_manager Microsoft Defender for Resource Manager detect partial T1580 Cloud Infrastructure Discovery
Comments
This control may alert on Cloud Infrastructure Discovery activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
References
just-in-time_vm_access Microsoft Defender for Cloud: Just-in-Time VM Access protect minimal T1190 Exploit Public-Facing Application
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at exploitation of a public-facing application unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured. The score is minimal, since this control only applies to specific applications requiring credentialed access, as opposed to a public webserver
References
just-in-time_vm_access Microsoft Defender for Cloud: Just-in-Time VM Access protect significant T1110 Brute Force
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
just-in-time_vm_access Microsoft Defender for Cloud: Just-in-Time VM Access protect significant T1110.001 Password Guessing
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
just-in-time_vm_access Microsoft Defender for Cloud: Just-in-Time VM Access protect significant T1110.003 Password Spraying
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
just-in-time_vm_access Microsoft Defender for Cloud: Just-in-Time VM Access protect significant T1110.004 Credential Stuffing
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
just-in-time_vm_access Microsoft Defender for Cloud: Just-in-Time VM Access protect significant T1133 External Remote Services
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at utilizing external remote services, such as RDP or a VPN, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
just-in-time_vm_access Microsoft Defender for Cloud: Just-in-Time VM Access protect significant T1548.005 Temporary Elevated Cloud Access
Comments
This control may mitigate unauthorized elevated cloud access.
References
just-in-time_vm_access Microsoft Defender for Cloud: Just-in-Time VM Access protect significant T1651 Cloud Administration Command
Comments
This capability can protect against unauthorized cloud administration.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure detect minimal T1027 Obfuscated Files or Information
microsoft_antimalware_for_azure Microsoft Antimalware for Azure detect minimal T1027.002 Software Packing
Comments
This control may detect malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure detect minimal T1105 Ingress Tool Transfer
Comments
This control may scan created files for malware. This control is dependent on a signature being available.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure detect minimal T1204.002 Malicious File
Comments
This control monitors activity in cloud services and on virtual machines to detect malware execution. This is dependent on a signature being available.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure detect minimal T1566 Phishing
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect minimal T1027 Obfuscated Files or Information
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect minimal T1027.002 Software Packing
Comments
This control may quarantine and/or delete malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect minimal T1105 Ingress Tool Transfer
Comments
This control may scan created files for malware and proceed to quarantine and/or delete the file. This control is dependent on a signature being available.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect minimal T1204 User Execution
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect minimal T1204.002 Malicious File
Comments
This control monitors activity in cloud services and on virtual machines to block malware execution. This is dependent on a signature being available.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect minimal T1566 Phishing
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect minimal T1566.001 Spearphishing Attachment
Comments
This control may quarantine and/or delete any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure detect partial T1566.001 Spearphishing Attachment
Comments
This control may detect any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect partial T1027.006 HTML Smuggling
Comments
This control can protect against HTML smuggling.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect partial T1027.009 Embedded Payloads
Comments
This control can protect against embedded payloads.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect partial T1027.010 Command Obfuscation
Comments
This control can protect against command obfuscation attacks.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect partial T1027.011 Fileless Storage
Comments
This control can protect against fileless storage attacks.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect partial T1027.012 LNK Icon Smuggling
Comments
This control can protect against LNK icon smuggling.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect partial T1027.013 Encrypted/Encoded File
Comments
This control can protect against obsfucation via encrypted/encoded files.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect partial T1027.014 Polymorphic Code
Comments
This control can protect against obsfucation via polymorphic code.
References
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect partial T1036.008 Masquerade File Type
Comments
This control can protect from malware.
References
defender_for_apis Microsoft Defender for Cloud: Microsoft Defender for APIs detect partial T1059.009 Cloud API
Comments
This control can detect when anomalous parameters are passed to a cloud API that could indicate abuse of a command and scripting interpreter.
References
defender_for_apis Microsoft Defender for Cloud: Microsoft Defender for APIs detect significant T1552.007 Container API
Comments
This capability can detect anomalous usage of APIs.
References
defender_for_apis Microsoft Defender for Cloud: Microsoft Defender for APIs protect significant T1552.007 Container API
Comments
This capability can support configuration of APIs to protect against access to unsecured credentials.
References
defender_for_apis Microsoft Defender for Cloud: Microsoft Defender for APIs protect partial T1555 Credentials from Password Stores
Comments
This control can protect APIs from adversaries attempting to access credentials.
References
vulnerability_management Microsoft Defender for Cloud: Vulnerability Management protect partial T1068 Exploitation for Privilege Escalation
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
vulnerability_management Microsoft Defender for Cloud: Vulnerability Management protect partial T1189 Drive-by Compromise
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
vulnerability_management Microsoft Defender for Cloud: Vulnerability Management protect partial T1190 Exploit Public-Facing Application
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
vulnerability_management Microsoft Defender for Cloud: Vulnerability Management protect partial T1203 Exploitation for Client Execution
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
vulnerability_management Microsoft Defender for Cloud: Vulnerability Management protect partial T1210 Exploitation of Remote Services
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
vulnerability_management Microsoft Defender for Cloud: Vulnerability Management protect partial T1211 Exploitation for Defense Evasion
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
vulnerability_management Microsoft Defender for Cloud: Vulnerability Management protect partial T1212 Exploitation for Credential Access
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References