Microsoft Azure is a widely used cloud computing platform provided by Microsoft. Azure offers a range of security capabilities to protect cloud data, applications, and infrastructure from threats. These mappings connect Azure security capabilities to adversary behaviors in MITRE ATT&CK®, providing Azure users with a comprehensive view of how native Azure security capabilities can be used to prevent, detect, and respond to prevalent cloud threats. As a result, Azure users can evaluate the effectiveness of native security controls against specific ATT&CK techniques and take a threat-informed approach to understand, prioritize, and mitigate adversary behaviors that are most important for their environment.
Azure Versions: 04.26.2025, 06.29.2021 ATT&CK Versions: 16.1, 8.2 ATT&CK Domain: Enterprise
Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|---|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | significant | T1078.004 | Cloud Accounts |
Comments
This control may generate alerts based on unfamiliar or suspicious IP addresses, TOR exit node, and anonymous access.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | significant | T1530 | Data from Cloud Storage |
Comments
A variety of alerts may be generated by malicious access and enumeration of Azure Storage.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | respond | partial | T1105 | Ingress Tool Transfer |
Comments
When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | respond | partial | T1080 | Taint Shared Content |
Comments
When a file is suspected to contain malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. This delete response capability leads to a Response type of Eradication although it is specific to Azure Blob, Azure Files and Azure Data Lake Storage storage types resulting in an overall score of Partial.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | partial | T1537 | Transfer Data to Cloud Account |
Comments
This control may alert on unusually large amounts of data being extracted from Azure storage and suspicious access to storage accounts. There are no alerts specifically tied to data transfer between cloud accounts but there are several alerts for anomalous storage access and transfer.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | partial | T1105 | Ingress Tool Transfer |
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | partial | T1080 | Taint Shared Content |
Comments
This control may alert on upload of possible malware or executable and Azure Cloud Services Package files. These alerts are dependent on Microsoft threat intelligence and may not alert on novel or modified malware.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | minimal | T1485 | Data Destruction |
Comments
This control may generate alerts when there has been an unusual or unexpected delete operation within Azure cloud storage. Alerts may not be generated by disabling of storage backups, versioning, or editing of storage objects.
References
|
defender_for_storage | Microsoft Defender for Cloud: Defender for Storage | detect | minimal | T1078 | Valid Accounts |
Comments
This control provides minimal detection for its procedure examples. Additionally, it is able to detect only one of its sub-techniques (Cloud Accounts) resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1003 | OS Credential Dumping |
Comments
Most credential dumping operations do not require modifying resources that can be detected by this control (i.e. Registry and File system) and therefore its coverage is minimal.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1098 | Account Manipulation |
Comments
This control can detect account manipulation.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1137 | Office Application Startup |
Comments
This control can detect peristence via office application startup.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1546.010 | AppInit DLLs |
Comments
The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1546.015 | Component Object Model Hijacking |
Comments
The detection score for this group of sub-techniques is assessed as Minimal due to the accuracy component of the score. The registry keys which are modified as a result of these sub-techniques can change frequently or are too numerous to monitor and therefore can result in significant amount of false positives.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1548 | Abuse Elevation Control Mechanism |
Comments
This control can detect abuse of elevation control mechanisms.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1548.002 | Bypass User Account Control |
Comments
Some UAC bypass methods rely on modifying specific, user-accessible Registry settings that can be monitored using this control. Overall, there are numerous other bypass methods that do not result in Registry modification that this control will not be effective in detection resulting in a low detection coverage factor.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1562 | Impair Defenses |
Comments
Due to low detection coverage, this technique is scored as minimal.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1562.001 | Disable or Modify Tools |
Comments
This control can be used to monitor Registry keys related to security software or event logging processes that can detect when an adversary attempts to disable these tools via modifying or deleting Registry keys. A majority of the cited procedure examples for this sub-technique are related to killing security processes rather than modifying the Registry, and therefore the detection coverage for this control is low.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1562.004 | Disable or Modify System Firewall |
Comments
There are numerous ways depending on the operating system that these sub-techniques can be accomplished. Monitoring the Windows Registry is one way depending on the procedure chosen to implement the sub-technique and therefore the overall coverage is low.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1562.006 | Indicator Blocking |
Comments
There are numerous ways depending on the operating system that these sub-techniques can be accomplished. Monitoring the Windows Registry is one way depending on the procedure chosen to implement the sub-technique and therefore the overall coverage is low.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | minimal | T1574 | Hijack Execution Flow |
Comments
This control can detect hijacked execution flow.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1003.001 | LSASS Memory |
Comments
This control can be used to detect the Windows Security Support Provider (SSP) DLLs variation of this sub-technique by monitoring the Registry keys used to register these DLLs. These keys should change infrequently and therefore false positives should be minimal.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1036.007 | Double File Extension |
Comments
This control can detect when files with two file extensions are created.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1036.008 | Masquerade File Type |
Comments
This control can detect if files are created or edited where the header and extension do not match.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1037 | Boot or Logon Initialization Scripts |
Comments
This control can detect abuse of boot or logon initialization scripts.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1037.001 | Logon Script (Windows) |
Comments
This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1037.003 | Network Logon Script |
Comments
This control may detect changes to the Windows registry upon creation or modification of logon scripts. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1053.001 | At (Linux) |
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1053.002 | At |
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1053.003 | Cron |
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1053.005 | Scheduled Task |
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1053.006 | Systemd Timers |
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1070.007 | Clear Network Connection History and Configurations |
Comments
This control can detect changes to files associated with this technique.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1070.008 | Clear Mailbox Data |
Comments
This control can detect changes to files associated with this technique.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1070.009 | Clear Persistence |
Comments
This control can detect changes to files associated with this technique.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1070.010 | Relocate Malware |
Comments
This control can detect changes to files associated with this technique.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1098.004 | SSH Authorized Keys |
Comments
This control may detect changes to the SSH authorized keys file which may indicate establishment of persistence. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1137.002 | Office Test |
Comments
This control may detect changes to the Windows registry to establish persistence with the Office Test sub-technique. The specificity of registry keys involved may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1222 | File and Directory Permissions Modification |
Comments
This control can detect file and directory permissions modification.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1222.001 | Windows File and Directory Permissions Modification |
Comments
This control can detect changes to the permissions of Windows and Linux files and can be used to detect modifications to sensitive directories and files that shouldn't change frequently. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1222.002 | Linux and Mac File and Directory Permissions Modification |
Comments
This control can detect changes to the permissions of Windows and Linux files and can be used to detect modifications to sensitive directories and files that shouldn't change frequently. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1505.004 | IIS Components |
Comments
This control can detect when files associated with the technique are created or modified, such as %windir%\system32\inetsrv\config\applicationhost.config.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1505.005 | Terminal Services DLL |
Comments
This control can detect when files or registry keys associated with this technique are created or modified, such as termsrv.dll and ServiceDll.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1543 | Create or Modify System Process |
Comments
This control can detect creation or modification of system-level processes.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1543.002 | Systemd Service |
Comments
This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1543.003 | Windows Service |
Comments
This control may detect changes to the Windows registry upon creation or modification of Windows services. This control may also detect changes to files used by systemd to create/modify systemd services. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546 | Event Triggered Execution |
Comments
The detection score for this technique was assessed as Partial because it doesn't detect some of the sub-techniques of this technique such as Windows Management Instrumentation (WMI) Event Subscription and Trap sub-techniques. Additionally for some sub-techniques, this control can be noisy.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.001 | Change Default File Association |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.002 | Screensaver |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.004 | Unix Shell Configuration Modification |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.007 | Netsh Helper DLL |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.008 | Accessibility Features |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.009 | AppCert DLLs |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.011 | Application Shimming |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.012 | Image File Execution Options Injection |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.013 | PowerShell Profile |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.016 | Installer Packages |
Comments
This control can detect event triggered execution via installer packages.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1546.017 | Udev Rules |
Comments
This control can detect event triggered execution via udev rules.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547 | Boot or Logon Autostart Execution |
Comments
This control can detect boot or logon autostart execution.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.001 | Registry Run Keys / Startup Folder |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.002 | Authentication Package |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.003 | Time Providers |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.004 | Winlogon Helper DLL |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.005 | Security Support Provider |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.006 | Kernel Modules and Extensions |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.008 | LSASS Driver |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.009 | Shortcut Modification |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.010 | Port Monitors |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.012 | Print Processors |
Comments
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart Execution. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1547.014 | Active Setup |
Comments
This control can detect commands or registry key modifications associated with Active Setup such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1548.003 | Sudo and Sudo Caching |
Comments
This control may detect changes to the sudoers file which may indicate privilege escalation. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1553 | Subvert Trust Controls |
Comments
This control can be used to detect a subset of this technique's sub-techniques while minimizing the false positive rate.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1553.003 | SIP and Trust Provider Hijacking |
Comments
This control can detect modifications made to the Registry keys used to register Windows Subject Interface Packages (SIPs). Because this sub-technique can be accomplished without modifying the Registry via DLL Search Order Hijacking, it has been scored as Partial. The related Registry keys should not change often and therefore the false positive rate should be minimal. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1553.004 | Install Root Certificate |
Comments
This control can be used to detect when the system root certificates has changed by detecting the corresponding Registry or File system modifications that occur as a result. These root certificates should not change often and therefore the false positive rate is minimal. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1556 | Modify Authentication Process |
Comments
This control is effective for detecting the Registry and file system artifacts that are generated during the execution of some variations of this technique while minimizing false positives due to the locations being monitored changing infrequently (e.g. /etc/pam.d/).
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1556.002 | Password Filter DLL |
Comments
The Registry key used to register a Password Filter DLL can be monitored for changes using this control providing substantial coverage of this sub-technique. This key should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1556.003 | Pluggable Authentication Modules |
Comments
The PAM configuration and module paths (/etc/pam.d/) can be monitored for changes using this control. The files in this path should not change often and therefore false positives should be minimal. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1556.007 | Hybrid Identity |
Comments
This control can monitor for suspicious modification of files associated with hybrid identity authentication processes, such as configuration files.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1556.008 | Network Provider DLL |
Comments
This control can monitor for creation or changes to registry keys associated with network provider DLL such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1564.008 | Email Hiding Rules |
Comments
This control can detect when files are modified related to email rules such as RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist on MacOS.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1564.009 | Resource Forking |
Comments
This control can detect when files are created or modified related to resource forking.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1564.012 | File/Path Exclusions |
Comments
This control can detect when files are created in folders associated with or spoofing that of trusted applications.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1574.006 | Dynamic Linker Hijacking |
Comments
This control may detect changes to the ld.so.preload file which may indicate an attempt to hijack execution flow. This sub-technique may also be utilized through an environment variable which this control may not detect. This control at worst scans for changes on an hourly basis.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1574.007 | Path Interception by PATH Environment Variable |
Comments
This control can detect file changes on VMs indicative of Path Interception by PATH Environment Variable.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1574.008 | Path Interception by Search Order Hijacking |
Comments
This control can detect file changes on VMs indicative of Path Interception by Search Order Hijacking.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1574.009 | Path Interception by Unquoted Path |
Comments
This control can detect file changes on VMs indicative of Path Interception by Unquoted Path.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | partial | T1574.014 | AppDomainManager |
Comments
This control can detect file changes on VMs indicative of hijacking of the AppDomainManager.
References
|
file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | detect | significant | T1053 | Scheduled Task/Job |
Comments
This control can detect scheduled tasks/jobs.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | detect | minimal | T1525 | Implant Internal Image |
Comments
This control may alert on Docker containers that are misconfigured or do not conform to CIS Docker Benchmarks. This may result in detection of container images implanted within Linux VMs with specific vulnerabilities or misconfigurations for malicious purposes.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1005 | Data from Local System |
Comments
This control may provide recommendations that limit the ability of an attacker to gain access to a host from a container, preventing the attacker from discovering and compromising local system data.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1021 | Remote Services |
Comments
This control can protect against abuse of remote services.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1021.004 | SSH |
Comments
This control may provide recommendations to ensure sshd is not running within Docker containers. This can prevent attackers from utilizing unmonitored SSH servers within containers. This may not prevent attackers from installing a SSH server in containers or hosts.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1040 | Network Sniffing |
Comments
This control may recommend usage of TLS to encrypt communication between the Docker daemon and clients. This can prevent possible leakage of sensitive information through network sniffing.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1068 | Exploitation for Privilege Escalation |
Comments
This control may provide recommendations on how to reduce the surface area and mechanisms by which an attacker could escalate privileges.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1083 | File and Directory Discovery |
Comments
This control may provide recommendations to ensure sensitive host system directories are not mounted in the container.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1548 | Abuse Elevation Control Mechanism |
Comments
This control is only relevant for Linux endpoints containing Docker containers.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | minimal | T1548.001 | Setuid and Setgid |
Comments
This control may provide recommendations to remove setuid and setguid permissions from container images. It may not be feasible to audit and remediate all binaries that have and require setuid and setguid permissions.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | partial | T1021.007 | Cloud Services |
Comments
This control can protect against abuse of remote cloud services.
References
|
docker_host_hardening | Microsoft Defender for Cloud: Docker Host Hardening | protect | partial | T1021.008 | Direct Cloud VM Connections |
Comments
This control can protect against abuse of direct cloud VM connections.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | partial | T1098 | Account Manipulation |
Comments
This capability can protect against Account Manipulation by requiring DevOps best practices.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | partial | T1098.001 | Additional Cloud Credentials |
Comments
This capability can protect against creation of additional cloud credentials by requiring DevOps best practices.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | partial | T1213.003 | Code Repositories |
Comments
This control can protect against repository misconfigurations.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | partial | T1552.007 | Container API |
Comments
This capability can protect against unsecured Container API credentials by ensuring credential security is part of the DevOps process.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | partial | T1557 | Adversary-in-the-Middle |
Comments
This capability can protect against adversary-in-the-middle attacks by ensuring encryption is baked into the DevOps process of applications.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | partial | T1564.009 | Resource Forking |
Comments
This control can provide DevOps guidance that applications should use the application bundle structure which leverages the /Resources folder location to mitigate resource forking.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | partial | T1593.003 | Code Repositories |
Comments
This control can protect code repositories by employing DevSecOps best practices.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | significant | T1189 | Drive-by Compromise |
Comments
This capability can protect against drive by compromise by ensuring application security is baked into DevOps.
References
|
devops_security | Microsoft Defender for Cloud: DevOps Security | protect | significant | T1190 | Exploit Public-Facing Application |
Comments
This capability can protect against exploitation of public facing applications by ensuring application security is baked into DevOps.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1078 | Valid Accounts |
Comments
This control only provides alerts for a set of Azure database offerings. Databases that have been deployed to endpoints within Azure or third-party databases deployed to Azure do not generate alerts for this control.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1110 | Brute Force |
Comments
This control covers the majority of sub-techniques for this parent technique and may cover both successful and unsuccessful brute force attacks. This control only provides alerts for a set of Azure database offerings. Databases that have been deployed to endpoints within Azure or third-party databases deployed to Azure do not generate alerts for this control.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1110.001 | Password Guessing |
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1110.003 | Password Spraying |
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1110.004 | Credential Stuffing |
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1190 | Exploit Public-Facing Application |
Comments
This control may alert on usage of faulty SQL statements. This generates an alert for a possible SQL injection by an application. Alerts may not be generated on usage of valid SQL statements by attackers for malicious purposes.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1213 | Data from Information Repositories |
Comments
This control may alert on extraction of a large amount of data to an unusual location. No documentation is provided on the logic for determining an unusual location.
References
|
advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | partial | T1078.004 | Cloud Accounts |
Comments
This control may alert on logon events that are suspicious. This includes logins from unusual locations, logins from suspicious IP addresses, and users that do not commonly access the resource. These alerts may limit the ability of an attacker to utilize a valid cloud account to access and manipulate Azure databases.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1040 | Network Sniffing |
Comments
This control's recommendations related to enforcing the usage of the secure versions of the HTTP and FTP protocols (HTTPS and FTPS) can lead to encrypting traffic which reduces the ability for an adversary to gather sensitive data via network sniffing.
This also applies to the "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", "Enforce SSL connection should be enabled for MySQL database servers", "Enforce SSL connection should be enabled for PostgreSQL database servers", "Only secure connections to your Redis Cache should be enabled" and "Secure transfer to storage accounts should be enabled" recommendations for their respective protocols.
The "Usage of host networking and ports should be restricted" recommendation for Kubernetes clusters can also lead to mitigating this technique.
These recommendations are limited to specific technologies on the platform and therefore its coverage score is Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1053 | Scheduled Task/Job |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a few of the sub-techniques of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1053.003 | Cron |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1053.006 | Systemd Timers |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1078 | Valid Accounts |
Comments
This control's recommendations about removing deprecated and external accounts with sensitive permissions from your subscription can lead to mitigating the Cloud Accounts sub-technique of this technique. Because this is a recommendation and has low coverage, it is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1078.004 | Cloud Accounts |
Comments
This control's "Deprecated accounts should be removed from your subscription" and "Deprecated accounts with owner permissions should be removed from your subscription" recommendation can lead to removing accounts that should not be utilized from your subscriptions thereby denying adversaries the usage of these accounts to find ways to access your data without being noticed.
Likewise, the recommendations related to External account permissions can also mitigate this sub-technique.
Because these are recommendations and only limited to deprecated and external accounts, this is scored as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1098 | Account Manipulation |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can prevent modifying the ssh_authorized keys file. Because it is a recommendation and limited to only one sub-technique, its score is Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1098.004 | SSH Authorized Keys |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of a Kubernetes container's file system which can mitigate this technique. Because this recommendation is specific to Kubernetes containers, its score is Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1110 | Brute Force |
Comments
This control's "Authentication to Linux machines should require SSH keys" recommendation can lead to obviating SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1110.001 | Password Guessing |
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1110.003 | Password Spraying |
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1110.004 | Credential Stuffing |
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1136 | Create Account |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1190 | Exploit Public-Facing Application |
Comments
This control's CORS related recommendations can help lead to hardened web applications. This can reduce the likelihood of an application being exploited to reveal sensitive data that can lead to the compromise of an environment.
Likewise this control's recommendations related to keeping Java/PHP up to date for API/Function/Web apps can lead to hardening the public facing content that uses these runtimes.
This control's recommendations related to disabling Public network access for Azure databases can lead to reducing the exposure of resources to the public Internet and thereby reduce the attack surface.
These recommendations are limited to specific technologies (Java, PHP and CORS, SQL DBs) and therefore provide Minimal coverage leading to a Minimal score.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1222 | File and Directory Permissions Modification |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1222.002 | Linux and Mac File and Directory Permissions Modification |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the modification of the file system permissions in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1499 | Endpoint Denial of Service |
Comments
This control provides recommendations for limiting the CPU and memory resources consumed by a container to minimize resource exhaustion attacks. Because this control only covers one sub-technique of this technique, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1505 | Server Software Component |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1505.003 | Web Shell |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modifications to the file system in Kubernetes containers which can mitigate adversaries installing web shells. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1543 | Create or Modify System Process |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1543.002 | Systemd Service |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of systemd service files in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1546 | Event Triggered Execution |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1546.004 | Unix Shell Configuration Modification |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of the file system in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1556 | Modify Authentication Process |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-techniques of this technique. Due to it being a recommendation and providing minimal coverage, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1556.003 | Pluggable Authentication Modules |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing this sub-technique which often modifies Pluggable Authentication Modules (PAM) components in the file system. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1564 | Hide Artifacts |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate some of the sub-techniques of this technique. Due to its partial coverage and Minimal score assessed for its sub-techniques, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1564.001 | Hidden Files and Directories |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1564.005 | Hidden File System |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1564.006 | Run Virtual Instance |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | minimal | T1565 | Data Manipulation |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation and mitigating only one sub-technique, its score is assessed as Minimal.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1068 | Exploitation for Privilege Escalation |
Comments
This control's "Container with privilege escalation should be avoided", "Least privileged Linux capabilities should be enforced for containers", "Privileged containers should be avoided", "Running containers as root user should be avoided" and "Containers sharing sensitive host namespaces should be avoided" recommendations can make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities. Because this is a recommendation, the assessed score has been capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1074 | Data Staged |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1074.001 | Local Data Staging |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1080 | Taint Shared Content |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" and "Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers" recommendations can mitigate this technique. Due to it being a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1133 | External Remote Services |
Comments
This control's "Management ports should be closed on your virtual machines" recommendation can lead to reducing the attack surface of your Azure VMs by recommending closing management ports. Because this is a recommendation, its score is limited to Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1136.001 | Local Account |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing system files from being modified in Kubernetes containers thereby mitigating this sub-technique since adding an account (on Linux) requires modifying system files. Because this is a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1485 | Data Destruction |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1486 | Data Encrypted for Impact |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1499.001 | OS Exhaustion Flood |
Comments
This control's "Container CPU and memory limits should be enforced" recommendation can lead to preventing resource exhaustion attacks by recommending enforcing limits for containers to ensure the runtime prevents the container from using more than the configured resource limit. Because this is a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1525 | Implant Internal Image |
Comments
This control's "Container images should be deployed from trusted registries only", "Container registries should not allow unrestricted network access" and "Container registries should use private link" recommendations can lead to ensuring that container images are only loaded from trusted registries thereby mitigating this technique.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1542 | Pre-OS Boot |
Comments
This control provides recommendations for enabling Secure Boot of Linux VMs that can mitigate a few of the sub-techniques of this technique. Because this is a recommendation and only limited to a few sub-techniques of this technique, its assessed score is Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1542.001 | System Firmware |
Comments
This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1542.003 | Bootkit |
Comments
This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1554 | Compromise Host Software Binary |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of binaries in Kubernetes containers thereby mitigating this technique. Because this is a recommendation, its score is capped at Partial.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1562.010 | Downgrade Attack |
Comments
This control may prevent downgrade attacks by enforcing use of HTTPS protocol.
References
|
ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | protect | partial | T1565.001 | Stored Data Manipulation |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem.
Likewise this control's recommendations related to using customer-managed keys to encrypt data at rest and enabling transparent data encryption for SQL databases can mitigate this sub-technique by reducing an adversary's ability to perform tailored data modifications.
Due to it being a recommendation, its score is capped at Partial.
References
|
ai_threat_protection | Microsoft Defender for Cloud: AI Threat Protection | detect | partial | T1090.003 | Multi-hop Proxy |
Comments
This capability can detect (alert: AI.Azure_AccessFromAnonymizedIP) when an AI is accessed from a Tor network IP.
References
|
ai_threat_protection | Microsoft Defender for Cloud: AI Threat Protection | detect | partial | T1491 | Defacement |
Comments
This capability can alert (using AI.Azure_MaliciousUrl.ModelResponse) when an AI model has shared a malicious URL with a user.
References
|
ai_threat_protection | Microsoft Defender for Cloud: AI Threat Protection | detect | partial | T1552 | Unsecured Credentials |
Comments
This control provides detection of unsecured credentials being divulged by AI model responses.
References
|
ai_threat_protection | Microsoft Defender for Cloud: AI Threat Protection | detect | significant | T1496.004 | Cloud Service Hijacking |
Comments
This capability has multiple alerts (AI.Azure_DOWDuplicateRequests, AI.Azure_DOWVolumeAnomaly) that can detect abuse of an AI for financial impact on an organization.
References
|
alerts_for_azure_cosmos_db | Alerts for Azure Cosmos DB | detect | minimal | T1078 | Valid Accounts |
Comments
This control's detection is specific to the Cosmos DB and therefore provides minimal overall detection coverage for Valid Accounts resulting in a Minimal score. A relevant alert is "Access from an unusual location to a Cosmos DB account".
References
|
alerts_for_azure_cosmos_db | Alerts for Azure Cosmos DB | detect | minimal | T1078.004 | Cloud Accounts |
Comments
This control triggers an alert when there is a change in the access pattern to an Azure Cosmos account based on access from an unusual geographical location. False positives are fairly likely and misuse from a typical location is not covered, so score is Minimal. Relevant alert is "Access from an unusual location to a Cosmos DB account"
References
|
alerts_for_azure_cosmos_db | Alerts for Azure Cosmos DB | detect | minimal | T1213 | Data from Information Repositories |
Comments
This control triggers an alert when an unusually large amount of data is extracted from/by an account compared to recent activity. False positives are fairly likely and extraction in quantities below the control's threshold is not detected, so score is Minimal. Neither of the sub-techniques are relevant in this context, since they are repository-specific. Relevant alert is "Unusual amount of data extracted from a Cosmos DB account"
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | minimal | T1071 | Application Layer Protocol |
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on block list.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | minimal | T1071.001 | Web Protocols |
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | minimal | T1071.002 | File Transfer Protocols |
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | minimal | T1071.003 | Mail Protocols |
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | minimal | T1071.004 | DNS |
Comments
This control can identify connections to known malicious sites. Scored minimal since the malicious sites must be on a block list.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | partial | T1071.005 | Publish/Subscribe Protocols |
Comments
This control can identify connections to known malicious sites.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | partial | T1133 | External Remote Services |
Comments
This control can potentially identify malicious use of remote services via alerts such as "Suspicious incoming RDP network activity" and "Suspicious Incoming SSH network activity".
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | significant | T1110 | Brute Force |
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline. It provides significant detection from most of this technique's sub-techniques and procedure examples resulting in an overall score of Significant.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | significant | T1110.001 | Password Guessing |
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | significant | T1110.003 | Password Spraying |
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
References
|
alerts_for_azure_network_layer | Alerts for Azure Network Layer | detect | significant | T1110.004 | Credential Stuffing |
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline.
References
|
alerts_for_dns | Alerts for DNS | detect | minimal | T1048 | Exfiltration Over Alternative Protocol |
Comments
Can detect anomalous use of DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
|
alerts_for_dns | Alerts for DNS | detect | minimal | T1071 | Application Layer Protocol |
Comments
Can detect potential DNS protocol misuse/anomalies. Technique coverage is restricted to DNS and therefore results in a Minimal score.
References
|
alerts_for_dns | Alerts for DNS | detect | minimal | T1090 | Proxy |
Comments
Can detect DNS activity to anonymity networks e.g. TOR. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
|
alerts_for_dns | Alerts for DNS | detect | minimal | T1572 | Protocol Tunneling |
Comments
Can identify protocol misuse/anomalies in DNS. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
|
alerts_for_dns | Alerts for DNS | detect | partial | T1568 | Dynamic Resolution |
Comments
Can identify "random" DNS occurences which can be associated with domain generation algorithm or Fast Flux sub-techniques. Partial for coverage and accuracy (potential for false positive/benign).
References
|
alerts_for_dns | Alerts for DNS | detect | partial | T1568.001 | Fast Flux DNS |
Comments
Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
References
|
alerts_for_dns | Alerts for DNS | detect | partial | T1568.002 | Domain Generation Algorithms |
Comments
Detects "random" DNS name occurences, potentially indicative of Fast Flux or DGA. Potential false positives from benign "random" DNS names.
References
|
alerts_for_dns | Alerts for DNS | detect | significant | T1071.004 | DNS |
Comments
Can alert on anomalies and misuse of the DNS protocol.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1021 | Remote Services |
Comments
This control is only relevant for Linux environments. Among the sub-techinques that are relevant for Linux, this control may only alert on SSH.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1027 | Obfuscated Files or Information |
Comments
This control only provides detection coverage for the Compile After Delivery sub-technique while not providing detection for all other sub-techniques relevant to the Linux platform or most of its procedure examples. As a result of this minimal coverage, the overall score is assessed as Minimal.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1027.004 | Compile After Delivery |
Comments
This control may alert on suspicious compilation. No documentation is provided on the logic for determining a suspicious compilation event.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1059 | Command and Scripting Interpreter |
Comments
This control may alert on suspicious Unix shell and PHP execution. Mismatched script extensions may also generate alerts of suspicious activity. Only one of the technique's sub-techniques is covered, resulting in a score of Minimal.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on suspicious arguments used to exploit Xorg vulnerabilities for privilege escalation.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1098 | Account Manipulation |
Comments
This control provides partial detection for only one of this technique's sub-techniques and does not cover most of its procedure examples, resulting in a score of Minimal.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1136 | Create Account |
Comments
This control is only relevant for Linux endpoints, and it provides partial coverage for the only sub-technique relevant on Linux endpoints, Local Account.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1505 | Server Software Component |
Comments
This control provides coverage for the only sub-technique this control is relevant for, Web Shell, but that coverage is Minimal.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1505.003 | Web Shell |
Comments
This control may alert on usage of web shells. No documentation is provided on logic for this detection.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1547 | Boot or Logon Autostart Execution |
Comments
This control is only relevant for Linux endpoint machines and the only sub-technique relevant for Linux is Kernel Modules and Extensions.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1562 | Impair Defenses |
Comments
This control only provides coverage for a miniority of the sub-techniques under this technique and provides no coverage for other relevant sub-techniques, such as Impair Command History Logging or Disable or Modify Tools, resulting in a score of Minimal.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1562.006 | Indicator Blocking |
Comments
This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1564 | Hide Artifacts |
Comments
This control only provides coverage for a minority of this technique's relevant sub-techniques, resulting in a score of Minimal.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | minimal | T1564.001 | Hidden Files and Directories |
Comments
This control may alert on the execution of hidden files. Since this control is only triggered on execution, it may not fire on a variety of hidden files or directories that are being utilized for malicious purposes.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1003 | OS Credential Dumping |
Comments
This control is only relevant for Linux environments, and provides partial coverage for one of the technique's two Linux-relevant sub-techniques.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1003.008 | /etc/passwd and /etc/shadow |
Comments
This control may alert on suspicious access to encrypted user passwords. The documentation does not reference "/etc/passwd" and "/etc/shadow" directly nor does it describe the logic in determining suspicious access.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1021.004 | SSH |
Comments
This control may alerts on SSH brute force attempts, addition of new SSH keys, and usage of a SSH server within a container. Alerts may not be generated by usage of existing SSH keys by malicious actors for lateral movement.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1021.007 | Cloud Services |
Comments
This control can detect abuse of remote services.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1021.008 | Direct Cloud VM Connections |
Comments
This control can detect direct cloud VM connections.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.008 | Stripped Payloads |
Comments
This control can detect stripped payloads.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.009 | Embedded Payloads |
Comments
This control can detect embedded payloads.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.010 | Command Obfuscation |
Comments
This control can detect command obsfucation attacks.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.013 | Encrypted/Encoded File |
Comments
This control can detect obsfucation via encrypted/encoded files.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1027.014 | Polymorphic Code |
Comments
This control can detect obsfucation via polymorphic code.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1036.008 | Masquerade File Type |
Comments
This control can detect if files are created or edited where the header and extension do not match.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1059.004 | Unix Shell |
Comments
This control may alert on suspicious commandline activity. Alerts may be generated on possible detection of shellcode usage on the commandline, based on arguments, location, user, etc.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1070 | Indicator Removal |
Comments
This control is only relevant for Linux environments and provides partial coverage for multiple Linux-relevant sub-techniques.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1070.002 | Clear Linux or Mac System Logs |
Comments
This control may alert on possible log tampering activity, including deletion of logs. No documentation is provided on which log sources are targeted by this control.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1070.003 | Clear Command History |
Comments
This control may alert on clearing of the command history file. Documentation is not provided on the logic for detecting when the command history is cleared but on Linux machines the location of the history file tends not to change from the default.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1098.004 | SSH Authorized Keys |
Comments
This control may alert on addition of new SSH keys to the authorized key file and unusual process access of the authorized key file.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1110 | Brute Force |
Comments
This control provides partial coverage for most of this technique's sub-techniques and procedures.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1110.001 | Password Guessing |
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1110.003 | Password Spraying |
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1110.004 | Credential Stuffing |
Comments
This control may alert on multiple successful and failed brute force attempts against SSH. There are no alerts for other methods of logging into Linux machines.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1113 | Screen Capture |
Comments
This control may alert on usage of a screenshot tool. Documentation is not provided on the logic for determining a screenshot tool.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1136.001 | Local Account |
Comments
This control may alert on usage of the useradd command to create new users and the creation of local user accounts with suspicious similarity to other account names.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1525 | Implant Internal Image |
Comments
This control may alert on suspicious container images running mining software or SSH servers. Privileged Docker containers and privileged commands running within containers may also be detected. These alerts are only generated on containers in Linux endpoint machines and not for containers running from Azure Docker deployment.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1547.006 | Kernel Modules and Extensions |
Comments
This control may alert on a suspicious shared object file being loaded as a kernel module. No documentation is provided on the logic but kernel module loading is a relatively rare event and can only be done with a small set of commands.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1547.013 | XDG Autostart Entries |
Comments
This control can detect command execution associated with xdg modification.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1555.002 | Securityd Memory |
Comments
This control can detect command execution associated with this technique.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1555.003 | Credentials from Web Browsers |
Comments
This control can detect command execution associated with this technique.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1555.005 | Password Managers |
Comments
This control can detect command execution associated with this technique.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1562.004 | Disable or Modify System Firewall |
Comments
This control may alert on manipulation of the on-host firewall. Firewall rules should not be changed often in a standard environment and such an event can provide a high fidelity alert.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1562.012 | Disable or Modify Linux Audit System |
Comments
This control may alert on activity which disables auditd logging on Linux endpoints. The auditd package may not be the only logging system being utilized and this control may not alert on activity that disables other logging software.
References
|
alerts_for_linux_machines | Alerts for Linux Machines | detect | partial | T1564.006 | Run Virtual Instance |
Comments
This control may alert on containers using privileged commands, running SSH servers, or running mining software.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1003 | OS Credential Dumping |
Comments
This control provides detection for a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal. Furthermore, its detection capability relies on detecting the usage of specific tools (e.g. sqldumper.exe) further adversely impacting its score.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1003.004 | LSA Secrets |
Comments
This control may detect when the registry is modified to allow logon credentials to be stored in clear text in LSA memory. This change allows a threat actor to gain plain text credentials from the host machine. The following alerts may be generated: "Detected enabling of the WDigest UseLogonCredential registry key".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1027 | Obfuscated Files or Information |
Comments
This control may detect usage of VBScript.Encode and base-64 encoding to obfuscate malicious commands and scripts. The following alerts may be generated: "Detected suspicious execution of VBScript.Encode command", "Detected encoded executable in command line data".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control's detection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This control may detect suspicious use of the Telegram tool for transferring malicious binaries across hosts. The following alerts may be generated: "Detected potentially suspicious use of Telegram tool".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1059 | Command and Scripting Interpreter |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1070 | Indicator Removal |
Comments
This control's detection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1082 | System Information Discovery |
Comments
This control may detect local reconnaissance activity specific to using the systeminfo commands. The following alerts may be generated: "Detected possible local reconnaissance activity".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1136 | Create Account |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1202 | Indirect Command Execution |
Comments
This control may detect suspicious use of Pcalua.exe to launch executable code. There are other methods of indirect command execution that this control may not detect. The following alerts may be generated: "Detected suspicious use of Pcalua.exe to launch executable code".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1218 | System Binary Proxy Execution |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1222 | File and Directory Permissions Modification |
Comments
This control provides minimal detection for some of this technique's sub-techniques resulting in an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1222.001 | Windows File and Directory Permissions Modification |
Comments
This control may detect the usage of cacls.exe to modify file and directory permissions. The following alerts may be generated: "Detected suspicious use of Cacls to lower the security state of the system".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1489 | Service Stop |
Comments
This control may detect when critical services have been disabled through the usage of specifically net.exe. The following alerts may be generated: "Detected the disabling of critical services".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1543 | Create or Modify System Process |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1546 | Event Triggered Execution |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1547 | Boot or Logon Autostart Execution |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1548 | Abuse Elevation Control Mechanism |
Comments
The only sub-technique scored (Bypass User Account Control) is the only one relevant to Windows.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1548.002 | Bypass User Account Control |
Comments
This control may detect when User Account Control is bypassed by manipulating the Windows registry. There may be other methods to Bypass User Account Control which limits the score to Minimal. The following alerts may be generated: "Detected change to a registry key that can be abused to bypass UAC"
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1558 | Steal or Forge Kerberos Tickets |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1562 | Impair Defenses |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | minimal | T1564 | Hide Artifacts |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1027.008 | Stripped Payloads |
Comments
This control can detect stripped payloads.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1027.009 | Embedded Payloads |
Comments
This control can detect embedded payloads.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1027.010 | Command Obfuscation |
Comments
This control can detect command obsfucation attacks.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1027.013 | Encrypted/Encoded File |
Comments
This control can detect obsfucation via encrypted/encoded files.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1027.014 | Polymorphic Code |
Comments
This control can detect obsfucation via polymorphic code.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1036.008 | Masquerade File Type |
Comments
This control can detect if commands are executed that are otherwise non-executable file types.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1053.007 | Container Orchestration Job |
Comments
This control can detect when commands associated with this technique are executed.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055 | Process Injection |
Comments
This control's Fileless Attack Detection covers all relevant sub-techniques. Detection is periodic at an unknown rate.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.001 | Dynamic-link Library Injection |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.002 | Portable Executable Injection |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.003 | Thread Execution Hijacking |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.004 | Asynchronous Procedure Call |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.005 | Thread Local Storage |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.011 | Extra Window Memory Injection |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.012 | Process Hollowing |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1055.013 | Process Doppelgänging |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1059.009 | Cloud API |
Comments
This control can detect supicious usage of commands and scripts.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1059.010 | AutoHotKey & AutoIT |
Comments
This control can detect supicious usage of commands and scripts.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1059.011 | Lua |
Comments
This control can detect supicious usage of commands and scripts.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1068 | Exploitation for Privilege Escalation |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1070.001 | Clear Windows Event Logs |
Comments
This control may detect when an event log has been cleared or IIS logs have been deleted. The following alerts may be generated: "Detected actions indicative of disabling and deleting IIS log files", "An event log was cleared".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1070.004 | File Deletion |
Comments
This control may detect suspicious file cleanup commands and shadow copy deletion activity. The following alerts may be generated: "Detected suspicious file cleanup commands", "Suspicious Volume Shadow Copy Activity".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1070.007 | Clear Network Connection History and Configurations |
Comments
This control can monitor for executed commands associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1070.008 | Clear Mailbox Data |
Comments
This control can monitor for executed commands associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1070.009 | Clear Persistence |
Comments
This control can monitor for executed commands associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1078 | Valid Accounts |
Comments
This control is able to detect some of this technique's sub-techniques resulting in a Partial Coverage score and consequently an overall score of Partial.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1078.001 | Default Accounts |
Comments
This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1078.003 | Local Accounts |
Comments
This control may detect suspicious activity from existing Windows accounts and logons from suspicious IP addresses. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1087 | Account Discovery |
Comments
This control provides partial detection for some of this technique's sub-techniques and procedure examples resulting in a Partial Coverage score and consequently an overall score of Partial.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1087.001 | Local Account |
Comments
This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: "Multiple Domain Accounts Queried", "Local Administrators group members were enumerated".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1087.002 | Domain Account |
Comments
This control may detect when the local administrators group is enumerated or when mulitiple domain accounts are queried. The following alerts may be generated: "Multiple Domain Accounts Queried", "Local Administrators group members were enumerated".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1105 | Ingress Tool Transfer |
Comments
This control may detect usage of malware droppers and creation of suspicious files on the host machine. The following alerts may be generated: "Detected possible execution of malware dropper", "Detected suspicious file creation".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1110 | Brute Force |
Comments
This control provides detection for some of this technique's sub-techniques and procedure examples resulting in a Partial Coverage score and consequently an overall score of Partial.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1112 | Modify Registry |
Comments
This control may detect several methods used to modify the registry for purposes of persistence, privilege elevation, and execution. The following alerts may be generated: "Detected change to a registry key that can be abused to bypass UAC", "Detected enabling of the WDigest UseLogonCredential registry key", "Detected suppression of legal notice displayed to users at logon", "Suspicious WindowPosition registry value detected", "Windows registry persistence method detected".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1134 | Access Token Manipulation |
Comments
This control can detect when commands associated with this technique are executed, such as runas.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1136.001 | Local Account |
Comments
This control may detect when an account is created with an account name that closely resembles a standard Windows account or group name. This may be an account created by an attacker to blend into the environment. The following alerts may be generated: "Suspicious Account Creation Detected".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1140 | Deobfuscate/Decode Files or Information |
Comments
This control may detect decoding of suspicious files by certutil.exe and may detect the presence of various encoding schemes to obfuscate malicious scripts and commandline arguments. The following alerts may be generated: "Suspicious download using Certutil detected", "Suspicious download using Certutil detected [seen multiple times]", "Detected decoding of an executable using built-in certutil.exe tool".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1189 | Drive-by Compromise |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1190 | Exploit Public-Facing Application |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1203 | Exploitation for Client Execution |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1204 | User Execution |
Comments
This control provides detection for one of the two sub-techniques of this technique, Malicious File, resulting in a Partial Coverage score and consequently an overall score of Partial.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1204.002 | Malicious File |
Comments
This control may detect the usage of a malware dropper and other indicators of a malicious file being executed by the user. The following alerts may be generated: "Detected possible execution of keygen executable", "Detected possible execution of malware dropper", "Detected suspicious file creation".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1204.003 | Malicious Image |
Comments
This capability can detect when commands are executed that are associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1210 | Exploitation of Remote Services |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1211 | Exploitation for Defense Evasion |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1212 | Exploitation for Credential Access |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1218.005 | Mshta |
Comments
This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: "Detected suspicious execution via rundll32.exe", "Detected suspicious combination of HTA and PowerShell".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1218.011 | Rundll32 |
Comments
This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: "Detected suspicious execution via rundll32.exe", "Detected suspicious combination of HTA and PowerShell".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1218.013 | Mavinject |
Comments
This control may detect usage of the argument INJECTRUNNING which is required for mavinject.exe.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1218.014 | MMC |
Comments
This control may detect creation and usage of non-microsoft .msc files.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1218.015 | Electron Applications |
Comments
This control may detect commands invoking teams.exe or chrome.exe and analyze whether they are being used to execute malicious or abnormal content.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1505.004 | IIS Components |
Comments
This control can detect when commands associated with installing IIS web servers are executed, such as AppCmd.exe.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1505.005 | Terminal Services DLL |
Comments
This control can detect when commands associated with this technique are executed, such as reg.exe.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1543.003 | Windows Service |
Comments
This control may detect when the tscon.exe binary is installed as a service to exploit RDP sessions or when a rare service group is executed under SVCHOST. The following alerts may be generated: "Suspect service installation".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1543.005 | Container Service |
Comments
This control can detect when commands associated with container services are executed, such as docker or podman.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1546.002 | Screensaver |
Comments
This control may detect when a suspicious screensaver process is executed, based on the location of the .scr file. Because this detection is based solely on the location of the file, it has been scored as Partial. The following alerts may be generated: "Suspicious Screensaver process executed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1546.008 | Accessibility Features |
Comments
This control may detect when the binary for the sticky keys utility has been replaced, possibly to gain persistence or execution. The following alerts may be generated: "Sticky keys attack detected".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1547.001 | Registry Run Keys / Startup Folder |
Comments
This control may detect when the Registry is leveraged to gain persistence. The following alerts may be generated: "Windows registry persistence method detected".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1552.001 | Credentials In Files |
Comments
This control can detect when commands associated with searching for passwords are executed.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1553.006 | Code Signing Policy Modification |
Comments
This control can be used to monitor for the execution of commands that could modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1555.003 | Credentials from Web Browsers |
Comments
This control can detect command execution associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1555.004 | Windows Credential Manager |
Comments
This control can detect command execution associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1555.005 | Password Managers |
Comments
This control can detect command execution associated with this technique.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1556.005 | Reversible Encryption |
Comments
This control can monitor for command execution related to reversible encryption such as -AllowReversiblePasswordEncryption $true.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1558.001 | Golden Ticket |
Comments
This control may detect commandline parameters consistent with a Kerberos Golden Ticket attack. The following alerts may be generated: "Suspected Kerberos Golden Ticket attack parameters observed".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1562.001 | Disable or Modify Tools |
Comments
This control may detect when critical services have been disabled, such as Windows Security Center. This control may also detect when IIS logging has been disabled. The following alerts may be generated: "Detected the disabling of critical services", "Detected actions indicative of disabling and deleting IIS log files".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1562.004 | Disable or Modify System Firewall |
Comments
This control may detect modification of the Windows firewall through use of netsh.exe or using a method that matches a known threat actor. The following alerts may be generated: "Malicious firewall rule created by ZINC server implant [seen multiple times]", "Detected suspicious new firewall rule".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1562.009 | Safe Mode Boot |
Comments
This control may detect executed commands indicative of changes to boot settings such as bcdedit.exe and bootcfg.exe
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1562.010 | Downgrade Attack |
Comments
This control may detect executed commands indicative of indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2).
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1563 | Remote Service Session Hijacking |
Comments
This control provides partial detection for some of this technique's sub-techniques resulting in a Partial Coverage score and consequently an overall score of Partial.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1563.002 | RDP Hijacking |
Comments
This control may detect RDP hijacking through use of the tscon.exe binary. The following alerts may be generated: "Suspect integrity level indicative of RDP hijacking", "Suspect service installation".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1564.003 | Hidden Window |
Comments
This control may detect usage of the WindowPosition Registry value to hide application windows in non-visible sections of the desktop. The following alerts may be generated: "Suspicious WindowPosition registry value detected".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1564.008 | Email Hiding Rules |
Comments
This control can detect when commands are run on VMs that can indicate creation or modification of email rules such as New-InboxRule, Set-InboxRule, New-TransportRule, and Set-TransportRule.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1564.009 | Resource Forking |
Comments
This control can detect when commands are run related to resource forking.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1564.011 | Ignore Process Interrupts |
Comments
This control can detect when commands are run related to process interrupts such as nohup.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1567.004 | Exfiltration Over Webhook |
Comments
This control can detect commands on VMs indicative of exfiltration over webhook.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1574.013 | KernelCallbackTable |
Comments
This control can detect windows API calls on VMs indicative of Hijacking Execution Flow via KernelCallBack table such as WriteProcessMemory() and NtQueryInformationProcess().
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1612 | Build Image on Host |
Comments
This capability can detect execution of commands related to container creation.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1614 | System Location Discovery |
Comments
This capability can detect if commands associated with this technique such as GetLocaleInfoW are executed.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1614.001 | System Language Discovery |
Comments
This capability can detect if commands associated with this technique are executed.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1622 | Debugger Evasion |
Comments
This capability can detect system processes that indicate debugger evasion.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1652 | Device Driver Discovery |
Comments
This capability can detect if commands associated with this technique are executed.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | partial | T1654 | Log Enumeration |
Comments
This capability can detect if commands associated with log enumeration (such as wevutil.exe on Windows and CollectGuestLogs.exe on Azure hosted VMs) are executed.
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | significant | T1059.001 | PowerShell |
Comments
This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: "Detected anomalous mix of upper and lower case characters in command-line", "Detected encoded executable in command line data", "Detected obfuscated command line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious commandline arguments", "Detected suspicious commandline used to start all executables in a directory", "Detected suspicious credentials in commandline", "Dynamic PS script construction", "Suspicious PowerShell Activity Detected", "Suspicious PowerShell cmdlets executed", "Suspicious command execution".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | significant | T1059.003 | Windows Command Shell |
Comments
This control may detect suspicious usage of PowerShell and the Windows command line. These detections include usage of suspicious arguments, dynamic script construction, and shellcode on the commandline. The following alerts may be generated: "Detected anomalous mix of upper and lower case characters in command-line", "Detected encoded executable in command line data", "Detected obfuscated command line", "Detected suspicious combination of HTA and PowerShell", "Detected suspicious commandline arguments", "Detected suspicious commandline used to start all executables in a directory", "Detected suspicious credentials in commandline", "Dynamic PS script construction", "Suspicious PowerShell Activity Detected", "Suspicious PowerShell cmdlets executed", "Suspicious command execution".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | significant | T1110.001 | Password Guessing |
Comments
This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | significant | T1110.003 | Password Spraying |
Comments
This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".
References
|
alerts_for_windows_machines | Alerts for Windows Machines | detect | significant | T1110.004 | Credential Stuffing |
Comments
This control may detect successful and failed brute force attempts with logic that factors the IP, time between attempts, and other suspicious activity. The following alerts may be generated: "A logon from a malicious IP has been detected", "A logon from a malicious IP has been detected. [seen multiple times]", "Successful brute force attack", "Suspicious authentication activity".
References
|
azure_backup | Azure Backup | respond | partial | T1561.002 | Disk Structure Wipe |
Comments
Allows for recovery of disk content, though Disk structure wipes require additional procedures for recovery.
References
|
azure_backup | Azure Backup | respond | significant | T1485 | Data Destruction |
Comments
Data backups provide a significant response to data destruction by enabling the restoration of data from backup.
References
|
azure_backup | Azure Backup | respond | significant | T1485.001 | Lifecycle-Triggered Deletion |
Comments
Data backups provide a significant response to data destruction by enabling the restoration of data from backup.
References
|
azure_backup | Azure Backup | respond | significant | T1486 | Data Encrypted for Impact |
Comments
Data backups provide a significant response to data encryption/ransomware by enabling the restoration of data from backup.
References
|
azure_backup | Azure Backup | respond | significant | T1491 | Defacement |
Comments
Data backups provide a significant response to data defacement attacks by enabling the restoration of data from backup.
References
|
azure_backup | Azure Backup | respond | significant | T1491.001 | Internal Defacement |
Comments
Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.
References
|
azure_backup | Azure Backup | respond | significant | T1491.002 | External Defacement |
Comments
Data backups provide a significant response to external or internal data defacement attacks by enabling the restoration of data from backup.
References
|
azure_backup | Azure Backup | respond | significant | T1561 | Disk Wipe |
Comments
Data backups provide a significant response to disk wipe attacks by enabling the restoration of data from backup.
References
|
azure_backup | Azure Backup | respond | significant | T1561.001 | Disk Content Wipe |
Comments
Data backups provide a significant response to disk content wipe attacks by enabling the restoration of data from backup.
References
|
azure_ddos_protection | Azure DDoS Protection | protect | significant | T1498 | Network Denial of Service |
Comments
Designed to address multiple DDOS techniques including volumetric attacks.
References
|
azure_ddos_protection | Azure DDoS Protection | protect | significant | T1498.001 | Direct Network Flood |
Comments
This control can protect against network denial of service attacks.
References
|
azure_ddos_protection | Azure DDoS Protection | protect | significant | T1498.002 | Reflection Amplification |
Comments
This control can protect against network denial of service attacks.
References
|
azure_ddos_protection | Azure DDoS Protection | protect | significant | T1499 | Endpoint Denial of Service |
Comments
Protects against volumetric and protocol DOS, though not application.
References
|
azure_ddos_protection | Azure DDoS Protection | protect | significant | T1499.001 | OS Exhaustion Flood |
Comments
This control can protect against endpoint denial of service attacks.
References
|
azure_ddos_protection | Azure DDoS Protection | protect | significant | T1499.002 | Service Exhaustion Flood |
Comments
This control can protect against endpoint denial of service attacks.
References
|
azure_ddos_protection | Azure DDoS Protection | protect | significant | T1499.003 | Application Exhaustion Flood |
Comments
This control can protect against endpoint denial of service attacks.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | protect | minimal | T1552 | Unsecured Credentials |
Comments
This control's protection is specific to a minority of this technique's sub-techniques and procedure examples resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | protect | partial | T1553 | Subvert Trust Controls |
Comments
Provides protection against sub-techniques involved with stealing credentials / certificates / keys from the organization.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | protect | partial | T1553.002 | Code Signing |
Comments
Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | protect | partial | T1553.004 | Install Root Certificate |
Comments
Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | protect | partial | T1588 | Obtain Capabilities |
Comments
Provides protection against sub-techniques involved with stealing credentials / certificates / keys from the organization.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | protect | partial | T1588.003 | Code Signing Certificates |
Comments
Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | protect | partial | T1588.004 | Digital Certificates |
Comments
Certificate credentials can be vaulted in an HSM thereby reducing its attack surface.
References
|
azure_dedicated_hsm | Azure Dedicated HSM | protect | significant | T1552.004 | Private Keys |
Comments
Provides significant protection of private keys.
References
|
azure_dns_alias_records | Azure DNS Alias Records | protect | minimal | T1584 | Compromise Infrastructure |
Comments
This control only provides protection for one of this technique's sub-techniques while not providing any protection for the remaining and therefore its coverage score factor is Minimal, resulting in a Minimal score.
References
|
azure_dns_alias_records | Azure DNS Alias Records | protect | partial | T1584.001 | Domains |
Comments
Alias records prevent dangling references by tightly coupling the life cycle of a DNS record with an Azure resource. For example, consider a DNS record that's qualified as an alias record to point to a public IP address or a Traffic Manager profile. If you delete those underlying resources, the DNS alias record becomes an empty record set. It no longer references the deleted resource. This control is effective for protecting DNS records that resolve to Azure resources but does not offer protection for records pointing to non-Azure resources, resulting in a Partial score.
References
|
azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1041 | Exfiltration Over C2 Channel |
Comments
This control can potentially be used to forensically identify exfiltration via a DNS-based C2 channel.
References
|
azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control can identify anomalous / high talker DNS clients, possibly related to exfil via DNS
References
|
azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This control can potentially be used to forensically identify exfiltration via DNS protocol.
References
|
azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1071 | Application Layer Protocol |
Comments
This control can be used forensically to identify clients that communicated with identified C2 hosts via DNS.
References
|
azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1071.004 | DNS |
Comments
This control can be used forensically to identify clients that communicated with identified C2 hosts.
References
|
azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1566 | Phishing |
Comments
This control can be used forensically to identify DNS queries to known malicious sites, which may be evidence of phishing.
References
|
azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1566.002 | Spearphishing Link |
Comments
This control can be used forensically to identify DNS queries to known malicious sites, which may be evidence of phishing.
References
|
azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1568 | Dynamic Resolution |
Comments
This control can be used for after-the-fact analysis of potential fast-flux DNS C2
References
|
azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1568.001 | Fast Flux DNS |
Comments
This control can be used for after-the-fact analysis of potential fast-flux DNS C2
References
|
azure_dns_analytics | Azure DNS Analytics | detect | minimal | T1568.002 | Domain Generation Algorithms |
Comments
This control can be used for after-the-fact analysis of potential fast-flux DNS C2
References
|
azure_firewall | Azure Firewall | detect | partial | T1557.003 | DHCP Spoofing |
Comments
This control can detect DHCP spoofing by monitoring network traffic.
References
|
azure_firewall | Azure Firewall | detect | partial | T1567.003 | Exfiltration to Text Storage Sites |
Comments
This control can detect exfiltration attempts to text storage sites.
References
|
azure_firewall | Azure Firewall | detect | partial | T1665 | Hide Infrastructure |
Comments
This capability can detect some traffic related to adversary command and control behavior.
References
|
azure_firewall | Azure Firewall | protect | partial | T1008 | Fallback Channels |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
azure_firewall | Azure Firewall | protect | partial | T1018 | Remote System Discovery |
Comments
This control typically filters external network traffic and therefore can be effective for preventing external remote system discovery but such activity originating from inside the trusted network is not mitigated. Due to this partial protection coverage, it has been scored as Partial protection.
References
|
azure_firewall | Azure Firewall | protect | partial | T1046 | Network Service Discovery |
Comments
This control typically filters external network traffic and therefore can be effective for preventing external network service scanning but network service scanning originating from inside the trusted network is not mitigated. Due to this partial protection coverage, it has been scored as Partial protection.
References
|
azure_firewall | Azure Firewall | protect | partial | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control provides partial protection for this technique's sub-techniques and some of its procedure examples resulting in an overall Partial score.
References
|
azure_firewall | Azure Firewall | protect | partial | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
azure_firewall | Azure Firewall | protect | partial | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
azure_firewall | Azure Firewall | protect | partial | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
azure_firewall | Azure Firewall | protect | partial | T1071.005 | Publish/Subscribe Protocols |
Comments
This control can filter network traffic on ports associated with this technique.
References
|
azure_firewall | Azure Firewall | protect | partial | T1095 | Non-Application Layer Protocol |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
Furthermore, it can be used to filter non-application layer protocol traffic such as ICMP.
References
|
azure_firewall | Azure Firewall | protect | partial | T1133 | External Remote Services |
Comments
This control can limit access to external remote services to the minimum necessary.
References
|
azure_firewall | Azure Firewall | protect | partial | T1204 | User Execution |
Comments
This control provides partial protection for this technique.
References
|
azure_firewall | Azure Firewall | protect | partial | T1204.003 | Malicious Image |
Comments
This control can prevent malicious downloads associated with this technique.
References
|
azure_firewall | Azure Firewall | protect | partial | T1205 | Traffic Signaling |
Comments
This control provides partial protection for this technique's sub-techniques and procedure examples resulting in a Partial score.
References
|
azure_firewall | Azure Firewall | protect | partial | T1205.001 | Port Knocking |
Comments
This control can protect against this sub-technique by enforcing limited access to only required ports. Consequently, even if the adversary is able to utilize port knocking to open additional ports at the host level, it is still blocked at the firewall service level. This service typically applies to external traffic and not internal traffic and therefore lateral movement using this technique within a network is still possible. Due to this partial coverage, it has been scored as Partial.
References
|
azure_firewall | Azure Firewall | protect | partial | T1205.002 | Socket Filters |
Comments
This control can protect against some variations of this technique.
References
|
azure_firewall | Azure Firewall | protect | partial | T1219 | Remote Access Software |
Comments
This control can be used to limit outgoing traffic to only sites and services used by authorized remote access tools. This is scored as partial because it doesn't protect against an adversary using an authorized remote access tool for malicious activity.
References
|
azure_firewall | Azure Firewall | protect | partial | T1567.003 | Exfiltration to Text Storage Sites |
Comments
This control can protect from exfiltration to text storage site by blocking unauthorized sites.
References
|
azure_firewall | Azure Firewall | protect | partial | T1590 | Gather Victim Network Information |
Comments
This control can prevent the gathering of victim network information via scanning methods but is not effective against methods such as Phishing resulting in a Partial coverage score and an overall Partial score.
References
|
azure_firewall | Azure Firewall | protect | partial | T1590.004 | Network Topology |
Comments
This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.
References
|
azure_firewall | Azure Firewall | protect | partial | T1590.005 | IP Addresses |
Comments
This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.
References
|
azure_firewall | Azure Firewall | protect | partial | T1590.006 | Network Security Appliances |
Comments
This control can prevent attempts by an adversary to gather this information using active scanning methods but is not effective of gathering this information using phishing related methods.
References
|
azure_firewall | Azure Firewall | protect | partial | T1595 | Active Scanning |
Comments
This control provides Partial protection for its sub-techniques resulting in an overall Partial score.
References
|
azure_firewall | Azure Firewall | protect | partial | T1595.001 | Scanning IP Blocks |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
azure_firewall | Azure Firewall | protect | partial | T1595.002 | Vulnerability Scanning |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
azure_firewall | Azure Firewall | protect | partial | T1595.003 | Wordlist Scanning |
Comments
This control monitors for accesses of potentially sensitive web pages from source IP addresses whose access pattern resembles that of a web scanner or have not been logged before. Temporal factor is unknown.
References
|
azure_firewall | Azure Firewall | protect | significant | T1557.003 | DHCP Spoofing |
Comments
This control can protect against DHCP spoofing by restricting DHCP traffic to trusted DHCP servers.
References
|
azure_firewall | Azure Firewall | protect | significant | T1571 | Non-Standard Port |
Comments
This control can limit access to the minimum required ports and therefore protect against adversaries attempting to use non-standard ports for C2 traffic.
References
|
azure_key_vault | Azure Key Vault | protect | minimal | T1040 | Network Sniffing |
Comments
This control provides secure methods for accessing secrets and passwords. This can reduce the incidences of credentials and other authentication material being transmitted in plain text or by insecure encryption methods. Any communication between applications or endpoints after access to Key Vault may not be secure.
References
|
azure_key_vault | Azure Key Vault | protect | partial | T1528 | Steal Application Access Token |
Comments
This control can provide protection against attackers stealing application access tokens if they are stored within Azure Key Vault. Key vault significantly raises the bar for access for stored tokens by requiring legitimate credentials with proper authorization. Applications may have to be modified to take advantage of Key Vault and may not always be possible to utilize.
References
|
azure_key_vault | Azure Key Vault | protect | partial | T1552 | Unsecured Credentials |
Comments
This control provides a central, secure location for storage of credentials to reduce the possibility of attackers discovering unsecured credentials.
References
|
azure_key_vault | Azure Key Vault | protect | partial | T1555 | Credentials from Password Stores |
Comments
This control may provide a more secure location for storing passwords. If an Azure user account, endpoint, or application is compromised, they may have limited access to passwords stored in the Key Vault.
References
|
azure_key_vault | Azure Key Vault | protect | partial | T1555.006 | Cloud Secrets Management Stores |
Comments
This control may provide a more secure location for storing passwords. If an Azure user account, endpoint, or application is compromised, they may have limited access to passwords stored in the Key Vault.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | minimal | T1542 | Pre-OS Boot |
Comments
Provides protection coverage for only one sub-technique partially (booting from remote devies ala TFTP boot) resulting in an overall score of Minimal.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1021 | Remote Services |
Comments
This control provides partial protection for all of its sub-techniques and procedure examples resulting in an overall score of Partial.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1021.001 | Remote Desktop Protocol |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1021.002 | SMB/Windows Admin Shares |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1021.003 | Distributed Component Object Model |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1021.004 | SSH |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1021.005 | VNC |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1021.006 | Windows Remote Management |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1021.007 | Cloud Services |
Comments
This control can protect against abuse of remote cloud services.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1021.008 | Direct Cloud VM Connections |
Comments
This control can protect against abuse of direct cloud VM connections.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1046 | Network Service Discovery |
Comments
This control can be used to restrict access to trusted networks.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1072 | Software Deployment Tools |
Comments
This control can be used to limit access to critical network systems such as software deployment tools.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1090 | Proxy |
Comments
This control can restrict ports and inter-system / inter-enclave connections as described by the Proxy related sub-techniques although it doesn't provide protection for domain-fronting. It furthermore provides partial protection of this technique's procedure examples resulting in an overall Partial score.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1090.001 | Internal Proxy |
Comments
This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1090.002 | External Proxy |
Comments
This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1090.003 | Multi-hop Proxy |
Comments
This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1095 | Non-Application Layer Protocol |
Comments
This control can be used to restrict access to trusted networks and protocols.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1133 | External Remote Services |
Comments
This control can be used to restrict direct access to remote service gateways and concentrators that typically accompany external remote services. This can be circumvented though if an adversary is able to compromise a trusted host and use it to access the external remote service. This results in an overall partial (coverage) score.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1199 | Trusted Relationship |
Comments
This control can isolate portions of network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1205 | Traffic Signaling |
Comments
This control provides partial protection for this technique's sub-techniques and procedure examples resulting in an overall Partial score. Other variations that trigger a special response, such as executing a malicous task are not mitigated by this control.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1210 | Exploitation of Remote Services |
Comments
This control can be used to restrict access to remote services to minimum necessary.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1219 | Remote Access Software |
Comments
This control can be used to restrict network communications to protect sensitive enclaves that may mitigate some of the procedure examples of this technique.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1482 | Domain Trust Discovery |
Comments
This control can be used to isolate sensitive domains to limit discovery.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1498 | Network Denial of Service |
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end network DOS attacks.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1499 | Endpoint Denial of Service |
Comments
This control provides partial protection for a majority of this control's sub-techinques and procedure examples resulting in overall score of Partial.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1499.001 | OS Exhaustion Flood |
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1499.002 | Service Exhaustion Flood |
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1499.003 | Application Exhaustion Flood |
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1542.005 | TFTP Boot |
Comments
This control can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1557 | Adversary-in-the-Middle |
Comments
This control can be used to limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce MiTM conditions.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1570 | Lateral Tool Transfer |
Comments
This control can be used to limit traffic between systems and enclaves to minimum necessary for example via a zero-trust strategy.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1602 | Data from Configuration Repository |
Comments
This control can limit attackers access to configuration repositories such as SNMP management stations, or to dumps of client configurations from common management ports.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1602.001 | SNMP (MIB Dump) |
Comments
Can limit access to client management interfaces or configuration databases
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1602.002 | Network Device Configuration Dump |
Comments
Can limit access to client management interfaces or configuration databases
References
|
azure_network_security_groups | Azure Network Security Groups | protect | partial | T1659 | Content Injection |
Comments
This control can be used to limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce content injection conditions.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | significant | T1048 | Exfiltration Over Alternative Protocol |
Comments
NSG can minimize alternative protocols allowed to communicate externally.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | significant | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | significant | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | significant | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | significant | T1205.001 | Port Knocking |
Comments
This control can be used to implement whitelist based network rules that can mitigate variations of this sub-techniques that result in opening closed ports for communication. Because this control is able to drop traffic before reaching a compromised host, it can effectively mitigate this port knocking sub-technique.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | significant | T1496.002 | Bandwidth Hijacking |
Comments
This capability can be configured to limit bandwidth available to connections.
References
|
azure_network_security_groups | Azure Network Security Groups | protect | significant | T1571 | Non-Standard Port |
Comments
This control can restrict traffic to standard ports and protocols.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | minimal | T1542 | Pre-OS Boot |
Comments
This control can identify anomalous traffic related to one of its sub-techniques (TFTP boot).
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021 | Remote Services |
Comments
This control can detect anomalous traffic or attempts related to network security group (NSG) for remote services.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.001 | Remote Desktop Protocol |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.002 | SMB/Windows Admin Shares |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.003 | Distributed Component Object Model |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.004 | SSH |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.005 | VNC |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.006 | Windows Remote Management |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.007 | Cloud Services |
Comments
This control can detect anomalous network traffic associated with abuse of remote cloud services.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.008 | Direct Cloud VM Connections |
Comments
This control can detect direct cloud VM connections.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control can detect anomalous traffic with respect to specific protocols/ports.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1071 | Application Layer Protocol |
Comments
This control can identify anomalous traffic with respect to NSG and application layer protocols.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1071.002 | File Transfer Protocols |
Comments
This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1071.003 | Mail Protocols |
Comments
This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1071.004 | DNS |
Comments
This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1071.005 | Publish/Subscribe Protocols |
Comments
This control can detect anomalous application protocol traffic related to this technique.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1072 | Software Deployment Tools |
Comments
This control can detect anomalous traffic with respect to critical systems and software deployment ports.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1090 | Proxy |
Comments
This control can detect anomalous traffic between systems and external networks.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1090.001 | Internal Proxy |
Comments
This control can detect abuse of internal proxies.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1090.002 | External Proxy |
Comments
This control can detect abuse of external proxies.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1090.003 | Multi-hop Proxy |
Comments
This control can detect abuse of multi-hop proxies.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1133 | External Remote Services |
Comments
This control can identify anomalous access to external remote services.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1189 | Drive-by Compromise |
Comments
This capability can detect suspicious script execution over a network.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1190 | Exploit Public-Facing Application |
Comments
This control can detect anomalous traffic to and from externally facing systems with respect to network security group (NSG) policy.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1199 | Trusted Relationship |
Comments
This control can be used to gain insight into normal traffic from trusted third parties which can then be used to detect anomalous traffic that may be indicative of a threat.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1204 | User Execution |
Comments
This control can detect network traffic associated with this technique.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1219 | Remote Access Software |
Comments
This control can detect network traffic associated with this technique.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1496.002 | Bandwidth Hijacking |
Comments
This capability can detect anomalous network traffic indicative of bandwidth hijacking.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1499 | Endpoint Denial of Service |
Comments
This control can identify volumetric and multi-sourced denial-of-service attacks.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1499.001 | OS Exhaustion Flood |
Comments
This control can detect endpoint denial of service attacks.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1499.002 | Service Exhaustion Flood |
Comments
This control can detect endpoint denial of service attacks.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1499.003 | Application Exhaustion Flood |
Comments
This control can detect endpoint denial of service attacks.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1542.005 | TFTP Boot |
Comments
This control can be used to identify anomalous TFTP boot traffic.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1563 | Remote Service Session Hijacking |
Comments
This control can be used to identify anomalous traffic related to RDP and SSH sessions or blocked attempts to access these management ports.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1563.001 | SSH Hijacking |
Comments
This control can detect SSH hijacking.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1563.002 | RDP Hijacking |
Comments
This control can detect RDP hijacking.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1602 | Data from Configuration Repository |
Comments
This control can identify anomalous traffic with respect to configuration repositories or identified configuration management ports.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1602.001 | SNMP (MIB Dump) |
Comments
This control can detect collection from configuration repositories.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1602.002 | Network Device Configuration Dump |
Comments
This control can detect collection from configuration repositories.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | significant | T1046 | Network Service Discovery |
Comments
This control can detect network service scanning/discovery activity.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | significant | T1571 | Non-Standard Port |
Comments
This control can identify anomalous traffic that utilizes non-standard application ports.
References
|
azure_policy | Azure Policy | detect | minimal | T1525 | Implant Internal Image |
Comments
This control may provide recommendations to enable scanning and auditing of container images. This can provide information on images that have been added with high privileges or vulnerabilities.
References
|
azure_policy | Azure Policy | protect | minimal | T1021 | Remote Services |
Comments
This control can protect against abuse of remote services.
References
|
azure_policy | Azure Policy | protect | minimal | T1021.001 | Remote Desktop Protocol |
Comments
This control may provide recommendations to restrict public access to Remote Desktop Protocol.
References
|
azure_policy | Azure Policy | protect | minimal | T1021.004 | SSH |
Comments
This control may provide recommendations to restrict public SSH access and enable usage of SSH keys.
References
|
azure_policy | Azure Policy | protect | minimal | T1068 | Exploitation for Privilege Escalation |
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
|
azure_policy | Azure Policy | protect | minimal | T1071 | Application Layer Protocol |
Comments
This control can protect against command and control via application layer protocol.
References
|
azure_policy | Azure Policy | protect | minimal | T1071.004 | DNS |
Comments
This control may provide recommendations to enable Azure Defender for DNS which can monitor DNS queries between Azure applications for malicious traffic.
References
|
azure_policy | Azure Policy | protect | minimal | T1078 | Valid Accounts |
Comments
This control can protect against abuse of valid accounts.
References
|
azure_policy | Azure Policy | protect | minimal | T1078.004 | Cloud Accounts |
Comments
This control may provide recommendations to audit and restrict privileges on Azure cloud accounts. This control may provide information to reduce surface area for privileged access to Azure.
References
|
azure_policy | Azure Policy | protect | minimal | T1098 | Account Manipulation |
Comments
This control can protect against account manipulation.
References
|
azure_policy | Azure Policy | protect | minimal | T1098.001 | Additional Cloud Credentials |
Comments
This control may recommend removing deprecated accounts, reducing privileges, and enabling multi-factor authentication. This can reduce the amount of accounts available to be exploited and what could be done with those accounts.
References
|
azure_policy | Azure Policy | protect | minimal | T1203 | Exploitation for Client Execution |
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
|
azure_policy | Azure Policy | protect | minimal | T1210 | Exploitation of Remote Services |
Comments
This control may provide recommendations to enable Azure security controls to harden remote services and reduce surface area for possible exploitation.
References
|
azure_policy | Azure Policy | protect | minimal | T1211 | Exploitation for Defense Evasion |
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
|
azure_policy | Azure Policy | protect | minimal | T1212 | Exploitation for Credential Access |
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
|
azure_policy | Azure Policy | protect | minimal | T1485 | Data Destruction |
Comments
This control may provide recommendations to enable soft deletion and purge protection in Azure Key Vault. This can help mitigate against malicious deletion of keys and secrets stored within Key Vault.
References
|
azure_policy | Azure Policy | protect | minimal | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This control may provide recommendations that protect from lifecycle-triggered deletion.
References
|
azure_policy | Azure Policy | protect | minimal | T1505 | Server Software Component |
Comments
This control can protect against abuse of server software components for persistence.
References
|
azure_policy | Azure Policy | protect | minimal | T1505.001 | SQL Stored Procedures |
Comments
This control may provide recommendations to enable other Azure controls that provide information on potentially exploitable SQL stored procedures. Recommendations to reduce unnecessary privileges from accounts and stored procedures can mitigate exploitable of this technique.
References
|
azure_policy | Azure Policy | protect | minimal | T1537 | Transfer Data to Cloud Account |
Comments
This control may provide recommendations to enable security controls that monitor and prevent malicious transfer of data to cloud accounts.
References
|
azure_policy | Azure Policy | protect | partial | T1021.007 | Cloud Services |
Comments
This control can protect against abuse of remote cloud services.
References
|
azure_policy | Azure Policy | protect | partial | T1021.008 | Direct Cloud VM Connections |
Comments
This control can protect against abuse of direct cloud VM connections.
References
|
azure_policy | Azure Policy | protect | partial | T1040 | Network Sniffing |
Comments
This control may provide recommendations to enable various Azure services that route traffic through secure networks, segment all network traffic, and enable TLS encryption where available.
References
|
azure_policy | Azure Policy | protect | partial | T1110 | Brute Force |
Comments
This control can protect against brute force attacks.
References
|
azure_policy | Azure Policy | protect | partial | T1110.001 | Password Guessing |
Comments
This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.
References
|
azure_policy | Azure Policy | protect | partial | T1110.003 | Password Spraying |
Comments
This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.
References
|
azure_policy | Azure Policy | protect | partial | T1110.004 | Credential Stuffing |
Comments
This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.
References
|
azure_policy | Azure Policy | protect | partial | T1133 | External Remote Services |
Comments
This control may provide recommendations to secure external remote services, such as restricting SSH access, enabling multi-factor authentication for VPN access, and auditing external remote services that are not necessary or updated.
References
|
azure_policy | Azure Policy | protect | partial | T1190 | Exploit Public-Facing Application |
Comments
This control may provide recommendations to restrict access to applications that are public facing and providing information on vulnerable applications.
References
|
azure_policy | Azure Policy | protect | partial | T1526 | Cloud Service Discovery |
Comments
This control may provide recommendations to enable Azure services that limit access to cloud services. Several Azure services and controls provide mitigations against cloud service discovery.
References
|
azure_policy | Azure Policy | protect | partial | T1530 | Data from Cloud Storage |
Comments
This control may provide recommendations to enable Azure Defender for Storage and other security controls to prevent access to data from cloud storage objects.
References
|
azure_policy | Azure Policy | protect | partial | T1535 | Unused/Unsupported Cloud Regions |
Comments
This control may provide recommendations to restrict the allowed locations your organization can specify when deploying resources or creating resource groups.
References
|
azure_policy | Azure Policy | protect | partial | T1538 | Cloud Service Dashboard |
Comments
This control may provide recommendations to enable Azure services that limit access to Azure Resource Manager and other Azure dashboards. Several Azure services and controls provide mitigations against this technique.
References
|
azure_policy | Azure Policy | protect | partial | T1555 | Credentials from Password Stores |
Comments
This control may provide recommendations for auditing and hardening Azure Key Vault to prevent malicious access and segment key access.
References
|
azure_policy | Azure Policy | protect | partial | T1555.006 | Cloud Secrets Management Stores |
Comments
This control may provide recommendations for auditing and hardening Azure Key Vault to prevent malicious access and segment key access.
References
|
azure_policy | Azure Policy | protect | partial | T1580 | Cloud Infrastructure Discovery |
Comments
This control may provide recommendations to enable Azure services that limit access to cloud infrastructure. Several Azure services and controls provide mitigations against cloud infrastructure discovery.
References
|
azure_policy | Azure Policy | protect | partial | T1590 | Gather Victim Network Information |
Comments
This control may provide recommendations to restrict access to cloud resources from public networks and to route traffic between resources through Azure. Recommendations are also provided to use private DNS zones. If these recommendations are implemented the visible network information should be reduced.
References
|
azure_policy | Azure Policy | protect | partial | T1590.002 | DNS |
Comments
This control can protect against gathering victim networking information.
References
|
azure_policy | Azure Policy | protect | partial | T1590.004 | Network Topology |
Comments
This control can protect against gathering victim networking information.
References
|
azure_policy | Azure Policy | protect | partial | T1590.005 | IP Addresses |
Comments
This control can protect against gathering victim networking information.
References
|
azure_policy | Azure Policy | protect | partial | T1590.006 | Network Security Appliances |
Comments
This control can protect against gathering victim networking information.
References
|
azure_private_link | Azure Private Link | protect | minimal | T1565 | Data Manipulation |
Comments
This control provides partial protection for one of this technique's sub-techniques resulting in an overall Minimal score.
References
|
azure_private_link | Azure Private Link | protect | partial | T1040 | Network Sniffing |
Comments
This control reduces the likelihood of a network sniffing attack for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.
References
|
azure_private_link | Azure Private Link | protect | partial | T1498 | Network Denial of Service |
Comments
Prevents Denial of Service (DOS) against systems that would otherwise need to connect via an internet-traversing path (coverage partial, since doesn't apply to systems that must be directly exposed to the Internet)
References
|
azure_private_link | Azure Private Link | protect | partial | T1498.001 | Direct Network Flood |
Comments
This control can protect against network denial of service attacks.
References
|
azure_private_link | Azure Private Link | protect | partial | T1498.002 | Reflection Amplification |
Comments
This control can protect against network denial of service attacks.
References
|
azure_private_link | Azure Private Link | protect | partial | T1499 | Endpoint Denial of Service |
Comments
Prevents Denial of Service (DOS) against systems that would otherwise need to connect via an internet-traversing path (coverage partial, since doesn't apply to systems that must be directly exposed to the Internet)
References
|
azure_private_link | Azure Private Link | protect | partial | T1499.001 | OS Exhaustion Flood |
Comments
This control can protect against endpoint denial of service attacks.
References
|
azure_private_link | Azure Private Link | protect | partial | T1499.002 | Service Exhaustion Flood |
Comments
This control can protect against endpoint denial of service attacks.
References
|
azure_private_link | Azure Private Link | protect | partial | T1499.003 | Application Exhaustion Flood |
Comments
This control can protect against endpoint denial of service attacks.
References
|
azure_private_link | Azure Private Link | protect | partial | T1499.004 | Application or System Exploitation |
Comments
This control can protect against endpoint denial of service attacks.
References
|
azure_private_link | Azure Private Link | protect | partial | T1557 | Adversary-in-the-Middle |
Comments
This control provides partial protection for this technique's sub-techniques resulting in an overall Partial score.
References
|
azure_private_link | Azure Private Link | protect | partial | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Comments
This control reduces the likelihood of MiTM for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.
References
|
azure_private_link | Azure Private Link | protect | partial | T1557.002 | ARP Cache Poisoning |
Comments
This control reduces the likelihood of MiTM for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.
References
|
azure_private_link | Azure Private Link | protect | partial | T1565.002 | Transmitted Data Manipulation |
Comments
This control reduces the likelihood of data manipulation for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.
References
|
azure_private_link | Azure Private Link | protect | partial | T1659 | Content Injection |
Comments
This capability provides protection against content inection.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | minimal | T1078 | Valid Accounts |
Comments
This control only provides protection for one of this technique's sub-techniques while not providing any protection for its procedure examples (due to being specific to Azure AD) nor its remaining sub-technqiues. Consequently its coverage score factor is Minimal, resulting in a Minimal score.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | minimal | T1087 | Account Discovery |
Comments
This control only provides protection for one of this technique's sub-techniques while not providing any protection for its procedure examples nor its remaining sub-technqiues and therefore its coverage score factor is Minimal, resulting in a Minimal score.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | minimal | T1136 | Create Account |
Comments
This control only provides protection for one of this technique's sub-techniques while not providing any protection for the remaining and therefore its coverage score factor is Minimal, resulting in a Minimal score.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1078.004 | Cloud Accounts |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit what an adversary can do with a valid account.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1087.004 | Cloud Account |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the accounts that can be used for account discovery.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1098 | Account Manipulation |
Comments
This control provides protection for some of this technique's sub-techniques and therefore its coverage score factor is Partial, resulting in a Partial score.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1098.001 | Additional Cloud Credentials |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1098.003 | Additional Cloud Roles |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1098.006 | Additional Container Cluster Roles |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can modify accounts.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1136.003 | Cloud Account |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can create accounts.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This control can provide protection against life-cycle triggered deletion by restricting access to those functions.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1528 | Steal Application Access Token |
Comments
This control can be used to limit the number of users that are authorized to grant consent to applications for accessing organizational data. This can reduce the likelihood that a user is fooled into granting consent to a malicious application that then utilizes the user's OAuth access token to access organizational data.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1530 | Data from Cloud Storage |
Comments
This control can be used to limit the number of users that have access to storage solutions except for the applications, users, and services that require access, thereby reducing the attack surface.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1538 | Cloud Service Dashboard |
Comments
This control can be used to limit the number of users that have dashboard visibility thereby reducing the attack surface.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1556 | Modify Authentication Process |
Comments
This control can protect against modification of the authentication process by limiting access.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1578 | Modify Cloud Compute Infrastructure |
Comments
This control provides partial protection for all of its sub-techniques and therefore its coverage score factor is Partial, resulting in a Partial score.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1578.001 | Create Snapshot |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1578.002 | Create Cloud Instance |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1578.003 | Delete Cloud Instance |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1578.004 | Revert Cloud Instance |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1578.005 | Modify Cloud Compute Configurations |
Comments
This control can be used to implement the least-privilege principle for account management and thereby limit the number of accounts that can perform these privileged operations.
References
|
azure_role_based_access_control | Azure Role-Based Access Control | protect | partial | T1580 | Cloud Infrastructure Discovery |
Comments
This control can be used to limit the number of users that have privileges to discover cloud infrastructure thereby reducing an organization's cloud infrastructure attack surface.
References
|
azure_update_manager | Azure Update Manager | protect | partial | T1072 | Software Deployment Tools |
Comments
This control provides partial coverage of attacks that leverage software flaws in unpatched deployment tools since it enables automated updates of software and rapid configuration change management.
References
|
azure_update_manager | Azure Update Manager | protect | partial | T1189 | Drive-by Compromise |
Comments
This control protects against a subset of drive-by methods that leverage unpatched client software since it enables automated updates of software and rapid configuration change management
References
|
azure_update_manager | Azure Update Manager | protect | partial | T1190 | Exploit Public-Facing Application |
Comments
This control provides partial coverage for techniques that exploit vulnerabilities in (common) unpatched software since it enables automated updates of software and rapid configuration change management.
References
|
azure_update_manager | Azure Update Manager | protect | partial | T1195 | Supply Chain Compromise |
Comments
This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.
References
|
azure_update_manager | Azure Update Manager | protect | partial | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.
References
|
azure_update_manager | Azure Update Manager | protect | partial | T1195.002 | Compromise Software Supply Chain |
Comments
This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.
References
|
azure_update_manager | Azure Update Manager | protect | partial | T1499 | Endpoint Denial of Service |
Comments
This control provides protection against the subset of Denial of Service (DOS) attacks that leverage system/application vulnerabilities as opposed to volumetric attacks since it enables automated updates of software and rapid configuration change management.
References
|
azure_update_manager | Azure Update Manager | protect | partial | T1554 | Compromise Host Software Binary |
Comments
This control provides partial protection against compromised client software binaries since it can provide a baseline to compare with potentially compromised/modified software binaries.
References
|
azure_update_manager | Azure Update Manager | protect | significant | T1068 | Exploitation for Privilege Escalation |
Comments
This control provides significant coverage of methods that leverage vulnerabilities in unpatched software since it enables automated updates of software and rapid configuration change management
References
|
azure_update_manager | Azure Update Manager | protect | significant | T1203 | Exploitation for Client Execution |
Comments
This control provides significant coverage for Exploitation for client execution methods that leverage unpatched vulnerabilities since it enables automated updates of software and rapid configuration change management.
References
|
azure_update_manager | Azure Update Manager | protect | significant | T1210 | Exploitation of Remote Services |
Comments
This control provides significant coverage of techniques that leverage vulnerabilities in unpatched remote services since it enables automated updates of software and rapid configuration change management.
References
|
azure_update_manager | Azure Update Manager | protect | significant | T1211 | Exploitation for Defense Evasion |
Comments
This control provides significant coverage of defensive evasion methods that exploit unpatched vulnerabilities in software/systems since it enables automated updates of software and rapid configuration change management.
References
|
azure_update_manager | Azure Update Manager | protect | significant | T1212 | Exploitation for Credential Access |
Comments
This control provides significant coverage of credential access techniques that leverage unpatched software vulnerabilities since it enables automated updates of software and rapid configuration change management.
References
|
azure_update_manager | Azure Update Manager | protect | significant | T1499.004 | Application or System Exploitation |
Comments
This control provides significant protection against Denial of Service (DOS) attacks that leverage system/application vulnerabilities as opposed to volumetric attacks since it enables automated updates of software and rapid configuration change management.
References
|
azure_vpn_gateway | Azure VPN Gateway | protect | partial | T1565 | Data Manipulation |
Comments
This control provides significant protection against one sub-technique (Transmitted Data Manipulation) of this technique while not providing protection for its remaining sub-techniques resulting in overall score of Partial.
References
|
azure_vpn_gateway | Azure VPN Gateway | protect | significant | T1040 | Network Sniffing |
Comments
This control encrypts traffic traversing over untrusted networks which can prevent information from being gathered via network sniffing.
References
|
azure_vpn_gateway | Azure VPN Gateway | protect | significant | T1557 | Adversary-in-the-Middle |
Comments
This control can mitigate Man-in-the-Middle attacks that manipulate network protocol data in transit.
References
|
azure_vpn_gateway | Azure VPN Gateway | protect | significant | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Comments
This control can protect against adversary in the middle attacks.
References
|
azure_vpn_gateway | Azure VPN Gateway | protect | significant | T1557.002 | ARP Cache Poisoning |
Comments
This control can protect against adversary in the middle attacks.
References
|
azure_vpn_gateway | Azure VPN Gateway | protect | significant | T1565.002 | Transmitted Data Manipulation |
Comments
This control can protect against transmitted data manipulation.
References
|
azure_vpn_gateway | Azure VPN Gateway | protect | significant | T1659 | Content Injection |
Comments
This capability can mitigate content injection attacks that manipulate data in transit.
References
|
azure_web_application_firewall | Azure Web Application Firewall | detect | minimal | T1071 | Application Layer Protocol |
Comments
This control can detect one of the sub-techniques of this technique while not providing detection for the remaining, resulting in a Minimal overall score.
References
|
azure_web_application_firewall | Azure Web Application Firewall | protect | minimal | T1071 | Application Layer Protocol |
Comments
This control can protect against one of the sub-techniques of this technique while not providing protection for the remaining, resulting in a Minimal overall score.
References
|
azure_web_application_firewall | Azure Web Application Firewall | detect | partial | T1046 | Network Service Discovery |
Comments
This control can detect network service scanning of web applications by an adversary. Because this detection is specific to web applications (although frequent targets) and not other application types enumerated in the procedure examples of this technique (e.g. Active Directory), it has been scored as Partial.
References
|
azure_web_application_firewall | Azure Web Application Firewall | detect | partial | T1071.001 | Web Protocols |
Comments
This control can detect protocol attacks targeting web applications that may be indicative of adversary activity.
References
|
azure_web_application_firewall | Azure Web Application Firewall | detect | partial | T1595.002 | Vulnerability Scanning |
Comments
This control can detect active scanning.
References
|
azure_web_application_firewall | Azure Web Application Firewall | protect | partial | T1046 | Network Service Discovery |
Comments
This control can protect web applications from network service scanning by an adversary. Because this protection is specific to web applications (although frequent targets) and not other application types enumerated in the procedure examples of this technique (e.g. Active Directory), it has been scored as Partial.
References
|
azure_web_application_firewall | Azure Web Application Firewall | protect | partial | T1071.001 | Web Protocols |
Comments
This control can protect web applications from protocol attacks that may be indicative of adversary activity.
References
|
azure_web_application_firewall | Azure Web Application Firewall | protect | partial | T1595 | Active Scanning |
Comments
This control can protect web applications from active scanning by an adversary. Because this protection is specific to web applications (although frequent targets) and not other application types, it has been scored as Partial.
References
|
azure_web_application_firewall | Azure Web Application Firewall | protect | partial | T1595.002 | Vulnerability Scanning |
Comments
Focuses on web vulnerability scanning of OWASP Core Rule Set (CRS).
References
|
azure_web_application_firewall | Azure Web Application Firewall | protect | partial | T1595.003 | Wordlist Scanning |
Comments
This control can detect active scanning.
References
|
azure_web_application_firewall | Azure Web Application Firewall | detect | significant | T1190 | Exploit Public-Facing Application |
Comments
This control can detect common web application attack vectors.
References
|
azure_web_application_firewall | Azure Web Application Firewall | protect | significant | T1190 | Exploit Public-Facing Application |
Comments
This control can protect web applications from common attacks (e.g. SQL injection, XSS).
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1003 | OS Credential Dumping |
Comments
This control only addresses a minority of this technique's procedure examples and one of its sub-techniques resulting in an overall Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1003.001 | LSASS Memory |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, so score is Minimal.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1005 | Data from Local System |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Exfiltration modules on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1012 | Query Registry |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1027 | Obfuscated Files or Information |
Comments
This control only covers one platform and procedure for one of this technique's sub-techniques, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1027.005 | Indicator Removal from Tools |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Find-AVSignature AntivirusBypass module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1036 | Masquerading |
Comments
This control only addresses a minority of this technique's procedure examples and one of its sub-techniques resulting in an overall Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1047 | Windows Management Instrumentation |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Invoke-WmiCommand module, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1053 | Scheduled Task/Job |
Comments
This control does not address this technique's procedure examples and only one of its sub-techniques resulting in an overall Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1053.005 | Scheduled Task |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the New-UserPersistenceOption Persistence module on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1056 | Input Capture |
Comments
This control only covers one platform and procedure for one of this technique's sub-techniques, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1056.001 | Keylogging |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-Keystrokes Exfiltration module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1057 | Process Discovery |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-ProcessTokenPrivilege PowerUp module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1059 | Command and Scripting Interpreter |
Comments
This control provides minimal detection for this technique's procedure examples and only two of its sub-techniques (only certain specific sub-technique behaviors), resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1059.001 | PowerShell |
Comments
This control monitors for execution of known malicious PowerShell PowerSploit cmdlets. Temporal factor is uknown.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1059.004 | Unix Shell |
Comments
This control monitors host data for potential reverse shells used for command and control. Temporal factor is unknown.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1087 | Account Discovery |
Comments
This control only covers one platform and procedure for one of this technique's sub-techniques, and minimal coverage of its procedure examples resulting in a Minimal overall score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1087.001 | Local Account |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-ProcessTokenGroup module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1113 | Screen Capture |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-TimedScreenshot module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1123 | Audio Capture |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-MicrophoneAudio module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1134 | Access Token Manipulation |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Invoke-TokenManipulation module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1204 | User Execution |
Comments
This control only provides meaningful detection for one of the technique's two sub-techniques, and the temporal factor is unknown, resulting in a score of Minimal.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1204.001 | Malicious Link |
Comments
This control monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin, all of which are relevant for detecting users' interactions with malicious download links, but malicious links which exploit browser vulnerabilities for execution are unlikely to be detected, and temporal factor is unknown, resulting in a score of Minimal.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1482 | Domain Trust Discovery |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-NetDomainTrust and Get-NetForestTrust modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1543 | Create or Modify System Process |
Comments
This control only addresses a minority of this technique's procedure examples and one of its sub-techniques resulting in an overall Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1543.003 | Windows Service |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Privesc-PowerUp modules on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1547 | Boot or Logon Autostart Execution |
Comments
This control only covers one platform and procedure for two of this technique's many sub-techniques, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1547.001 | Registry Run Keys / Startup Folder |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via New-UserPersistenceOption on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1547.005 | Security Support Provider |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Install-SSP module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1552 | Unsecured Credentials |
Comments
This control does not address this technique's procedure example and provides minimal detection for some of its sub-techniques resulting in an overall Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1552.002 | Credentials in Registry |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and RegistryAutoLogon modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1552.006 | Group Policy Preferences |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1555 | Credentials from Password Stores |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the PowerSploit Exfiltration modules on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1558 | Steal or Forge Kerberos Tickets |
Comments
This control only covers one procedure for one of this technique's sub-techniques, resulting in an overall Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1558.003 | Kerberoasting |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Invoke-Kerberoast module, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1574 | Hijack Execution Flow |
Comments
This control only addresses a minority of this technique's procedure examples and provides minimal detection of some of its sub-techniques resulting in an overall Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1574.001 | DLL Search Order Hijacking |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1574.007 | Path Interception by PATH Environment Variable |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1574.008 | Path Interception by Search Order Hijacking |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1574.009 | Path Interception by Unquoted Path |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1595 | Active Scanning |
Comments
This control only provides detection for one of its two sub-techniques, resulting in an overall Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | minimal | T1566 | Phishing |
Comments
This control only provides (minimal) protection for one of the technique's sub-techniques, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | minimal | T1566.002 | Spearphishing Link |
Comments
This control monitors for known phishing links on the Azure App Services website and generates alerts if they are detected, potentially preventing their access by users. This is a very specific avenue, only covers known links, and temporal factor is unknown, resulting in a Minimal score.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | minimal | T1584 | Compromise Infrastructure |
Comments
This control only addresses one of the technique's sub-techniques, resulting in a score of Minimal.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1036.005 | Match Legitimate Name or Location |
Comments
This control analyzes host data to detect processes with suspicious names, including those named in a way that is suggestive of attacker tools that try to hide in plain sight. False positives are probable, and temporal factor is unknown.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055 | Process Injection |
Comments
This control's Fileless Attack Detection covers all relevant sub-techniques. The control also specifically detects process hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.001 | Dynamic-link Library Injection |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.002 | Portable Executable Injection |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.003 | Thread Execution Hijacking |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.004 | Asynchronous Procedure Call |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.005 | Thread Local Storage |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.008 | Ptrace System Calls |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.009 | Proc Memory |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.011 | Extra Window Memory Injection |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.012 | Process Hollowing |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.013 | Process Doppelgänging |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.014 | VDSO Hijacking |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1068 | Exploitation for Privilege Escalation |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1105 | Ingress Tool Transfer |
Comments
This control detects binary downloads via certutil, monitors for FTP access from IP addresses found in threat intelligence, monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin. Temporal factor is unknown.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1140 | Deobfuscate/Decode Files or Information |
Comments
This control analyzes host data to detect base-64 encoded executables within command sequences. It also monitors for use of certutil to decode executables. Temporal factor is unknown.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1189 | Drive-by Compromise |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected into browser or other process memory as part of a drive-by attack. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1190 | Exploit Public-Facing Application |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected to exploit a vulnerability in a public-facing application. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1203 | Exploitation for Client Execution |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1210 | Exploitation of Remote Services |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected to exploit a vulnerability in an exposed service. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1211 | Exploitation for Defense Evasion |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1212 | Exploitation for Credential Access |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1496 | Resource Hijacking |
Comments
This control detects file downloads associated with digital currency mining as well as host data related to process and command execution associated with mining. It also includes fileless attack detection, which specifically targets crypto mining activity. Temporal factor is unknown.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1496.001 | Compute Hijacking |
Comments
This control detects file downloads associated with digital currency mining as well as host data related to process and command execution associated with mining. It also includes fileless attack detection, which specifically targets crypto mining activity. Temporal factor is unknown.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1496.004 | Cloud Service Hijacking |
Comments
This control detects file downloads associated with digital currency mining as well as host data related to process and command execution associated with mining. It also includes fileless attack detection, which specifically targets crypto mining activity. Temporal factor is unknown.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1559 | Inter-Process Communication |
Comments
This control's Fileless Attack Detection covers the command execution aspects of both of this technique's sub-techniques. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1559.001 | Component Object Model |
Comments
This control's Fileless Attack Detection identifies suspicious command execution within process memory. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1559.002 | Dynamic Data Exchange |
Comments
This control's Fileless Attack Detection identifies suspicious command execution within process memory. Detection is periodic at an unknown rate.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1594 | Search Victim-Owned Websites |
Comments
This control monitors for accesses of potentially sensitive web pages from source IP addresses whose access pattern resembles that of a web scanner or have not been logged before. Temporal factor is unknown.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1595.002 | Vulnerability Scanning |
Comments
This control monitors for web fingerprinting tools including nmap and Blind Elephant, as well as scanners looking for vulnerability in applications like Drupal, Joomla, and WordPress. Temporal factor is unknown.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1595.003 | Wordlist Scanning |
Comments
This control can protect web applications from active scanning by an adversary. Because this protection is specific to web applications (although frequent targets) and not other application types, it has been scored as Partial.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1620 | Reflective Code Loading |
Comments
This capability analyzes host data to detect processes with suspicious attributes, including those created anonymously.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | partial | T1027.006 | HTML Smuggling |
Comments
This control can protect against HTML smuggling.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | partial | T1027.007 | Dynamic API Resolution |
Comments
This control can protect against abuse of dynamic API resolution.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | partial | T1027.009 | Embedded Payloads |
Comments
This control can protect against embedded payloads.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | partial | T1027.010 | Command Obfuscation |
Comments
This control can protect against command obfuscation attacks.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | partial | T1027.013 | Encrypted/Encoded File |
Comments
This control can protect against obsfucation via encrypted/encoded files.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | partial | T1027.014 | Polymorphic Code |
Comments
This control can protect against obsfucation via polymorphic code.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | partial | T1648 | Serverless Execution |
Comments
This capability can protect against abuse of Azure Functions.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | significant | T1584.001 | Domains |
Comments
Subdomain hijacking is a focus of this control, and its Dangling DNS detection alert feature is activated when an App Service website is decommissioned and its corresponding DNS entry is not deleted, allowing users to remove those entries before they can be leveraged by an adversary.
References
|
defender_for_azure_sql_databases | Microsoft Defender for Azure SQL Databases | protect | minimal | T1078 | Valid Accounts |
Comments
This control can protect against abuse of valid accounts.
References
|
defender_for_azure_sql_databases | Microsoft Defender for Azure SQL Databases | protect | minimal | T1112 | Modify Registry |
Comments
This control may scan for any stored procedures that can access the Registry and checks that permission to execute those stored procedures have been revoked from all users (other than dbo).
References
|
defender_for_azure_sql_databases | Microsoft Defender for Azure SQL Databases | protect | minimal | T1190 | Exploit Public-Facing Application |
Comments
This control provides recommendations to patch if SQL server is out of date and to disable unneeded features to reduce exploitable surface area.
References
|
defender_for_azure_sql_databases | Microsoft Defender for Azure SQL Databases | protect | minimal | T1505 | Server Software Component |
Comments
This control can protect against abuse of server software components for persistence.
References
|
defender_for_azure_sql_databases | Microsoft Defender for Azure SQL Databases | protect | partial | T1068 | Exploitation for Privilege Escalation |
Comments
This control may scan for users with unnecessary permissions and if SQL Server is out of date.
References
|
defender_for_azure_sql_databases | Microsoft Defender for Azure SQL Databases | protect | partial | T1078.001 | Default Accounts |
Comments
This control may provide recommendations to disable default accounts and restrict permissions for existing accounts.
References
|
defender_for_azure_sql_databases | Microsoft Defender for Azure SQL Databases | protect | partial | T1505.001 | SQL Stored Procedures |
Comments
This control may scan for users with unnecessary access to SQL stored procedures.
References
|
defender_for_containers | Microsoft Defender for Containers | protect | minimal | T1068 | Exploitation for Privilege Escalation |
Comments
This control may provide recommendations to avoid privileged containers and running containers as root.
References
|
defender_for_containers | Microsoft Defender for Containers | protect | minimal | T1190 | Exploit Public-Facing Application |
Comments
This control may provide provide information about vulnerabilities within container images. The limited scope of containers and registries that are applicable to this control contribute to the lower score.
References
|
defender_for_containers | Microsoft Defender for Containers | detect | partial | T1053.007 | Container Orchestration Job |
Comments
This control can detect when containers are created.
References
|
defender_for_containers | Microsoft Defender for Containers | detect | partial | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on detection of new privileged containers and high privilege roles.
References
|
defender_for_containers | Microsoft Defender for Containers | detect | partial | T1070 | Indicator Removal |
Comments
This control may alert on deletion of Kubernetes events. Attackers might delete those events for hiding their operations in the cluster. There is no relevant sub-technique for this control but the parent applies.
References
|
defender_for_containers | Microsoft Defender for Containers | detect | partial | T1098.006 | Additional Container Cluster Roles |
Comments
This control can detect when changes are made to containers that indicate account manipulation.
References
|
defender_for_containers | Microsoft Defender for Containers | detect | partial | T1204 | User Execution |
Comments
This control can detect container behavior associated with this technique.
References
|
defender_for_containers | Microsoft Defender for Containers | detect | partial | T1204.003 | Malicious Image |
Comments
This capability can detect when containers are created or started.
References
|
defender_for_containers | Microsoft Defender for Containers | detect | partial | T1525 | Implant Internal Image |
Comments
This control may scan and alert on import or creation of container images with known vulnerabilities or a possible expanded surface area for exploitation.
References
|
defender_for_containers | Microsoft Defender for Containers | detect | partial | T1525 | Implant Internal Image |
Comments
This control may alert on containers with sensitive volume mounts, unneeded privileges, or running an image with digital currency mining software.
References
|
defender_for_containers | Microsoft Defender for Containers | detect | partial | T1611 | Escape to Host |
Comments
This capability can detect escape to host.
References
|
defender_for_containers | Microsoft Defender for Containers | detect | partial | T1612 | Build Image on Host |
Comments
This capability can detect building a container image on the host.
References
|
defender_for_containers | Microsoft Defender for Containers | protect | partial | T1190 | Exploit Public-Facing Application |
Comments
This control may alert on publicly exposed Kubernetes services. This may provide context on services that should be patched or hardened for public access.
References
|
defender_for_containers | Microsoft Defender for Containers | protect | partial | T1525 | Implant Internal Image |
Comments
This control may prevent adversaries from implanting malicious container images through fine grained permissions and use of container image tag signing. Image tag signing allows for verifiable container images that have been signed with legitimate keys.
References
|
defender_for_containers | Microsoft Defender for Containers | protect | partial | T1552.007 | Container API |
Comments
This capability can be integrated with others to secure credentials.
References
|
defender_for_containers | Microsoft Defender for Containers | protect | partial | T1611 | Escape to Host |
Comments
This capability can protect against escape to host attacks.
References
|
defender_for_containers | Microsoft Defender for Containers | protect | partial | T1612 | Build Image on Host |
Comments
This capability can protect against building a container image on the host.
References
|
defender_for_containers | Microsoft Defender for Containers | detect | significant | T1609 | Container Administration Command |
Comments
This capability can detect abuse of container administration services.
References
|
defender_for_containers | Microsoft Defender for Containers | detect | significant | T1610 | Deploy Container |
Comments
This capability can detect unauthorized deployment of containers.
References
|
defender_for_containers | Microsoft Defender for Containers | detect | significant | T1613 | Container and Resource Discovery |
Comments
This capability can detect container discovery.
References
|
defender_for_containers | Microsoft Defender for Containers | detect | significant | T1619 | Cloud Storage Object Discovery |
Comments
This capability can detect cloud storage object (blob) discovery.
References
|
defender_for_containers | Microsoft Defender for Containers | protect | significant | T1609 | Container Administration Command |
Comments
This capability can protect against abuse of container administration services.
References
|
defender_for_containers | Microsoft Defender for Containers | protect | significant | T1610 | Deploy Container |
Comments
This capability can protect against unauthorized deployment of containers.
References
|
defender_for_containers | Microsoft Defender for Containers | protect | significant | T1613 | Container and Resource Discovery |
Comments
This capability can protect against container discovery.
References
|
defender_for_containers | Microsoft Defender for Containers | protect | significant | T1619 | Cloud Storage Object Discovery |
Comments
This capability can protect against cloud object storage (blob) discovery.
References
|
defender_for_key_vault | Microsoft Defender for Key Vault | detect | minimal | T1580 | Cloud Infrastructure Discovery |
Comments
This control may alert on suspicious access of key vaults, including suspicious listing of key vault contents. This control does not alert on discovery of other cloud services, such as VMs, snapshots, cloud storage and therefore has minimal coverage. Suspicious activity based on patterns of access from certain users and applications allows for managing false positive rates.
References
|
defender_for_key_vault | Microsoft Defender for Key Vault | detect | partial | T1555 | Credentials from Password Stores |
Comments
This control may detect suspicious secret access from Azure key vaults.
References
|
defender_for_key_vault | Microsoft Defender for Key Vault | detect | partial | T1555.006 | Cloud Secrets Management Stores |
Comments
This control may detect suspicious secret access from Azure key vaults.
References
|
defender_for_open_source_databases | Microsoft Defender for Open-Source Relational Databases | detect | partial | T1110 | Brute Force |
Comments
This control can detect attempted or successful brute force attacks.
References
|
defender_for_open_source_databases | Microsoft Defender for Open-Source Relational Databases | detect | partial | T1190 | Exploit Public-Facing Application |
Comments
This control can detect artifacts of common exploit traffic.
References
|
defender_for_open_source_databases | Microsoft Defender for Open-Source Relational Databases | detect | partial | T1213 | Data from Information Repositories |
Comments
This control can detect suspicious login activity.
References
|
defender_for_open_source_databases | Microsoft Defender for Open-Source Relational Databases | detect | partial | T1580 | Cloud Infrastructure Discovery |
Comments
This control can detect unusual activity related to cloud data object storage enumeration.
References
|
defender_for_open_source_databases | Microsoft Defender for Open-Source Relational Databases | detect | partial | T1595 | Active Scanning |
Comments
This control can detect traffic patterns and packet inspection associated to protocols that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows).
References
|
defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | minimal | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on escalation attempts from Azure AD to Azure accounts by specific exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score. The following alerts may be generated: "PowerZure exploitation toolkit used to elevate access from Azure AD to Azure".
References
|
defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | minimal | T1069 | Permission Groups Discovery |
Comments
This control may alert on Azure domain cloud groups discovery activity but may not provide alerts for other account types or undocumented exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
References
|
defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | minimal | T1087 | Account Discovery |
Comments
This control may alert on Azure cloud account discovery activity but may not provide alerts for other account types or undocumented exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
References
|
defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | minimal | T1555 | Credentials from Password Stores |
Comments
This control may alert on credential dumping from Azure Key Vaults, App Services Configurations, and Automation accounts by specific exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score. The following alerts may be generated: "MicroBurst exploitation toolkit used to extract secrets from your Azure key vaults", "MicroBurst exploitation toolkit used to extract keys to your storage accounts".
References
|
defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | minimal | T1562 | Impair Defenses |
Comments
This control may alert on Windows Defender security features being disabled but does not alert on other security tools or logging being disabled or tampered with. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
References
|
defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | partial | T1069.003 | Cloud Groups |
Comments
This control may alert on Permission Groups Discovery of Cloud Groups activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
References
|
defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | partial | T1087.004 | Cloud Account |
Comments
This control may alert on Account Discovery of Cloud Accounts activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
References
|
defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | partial | T1526 | Cloud Service Discovery |
Comments
This control may alert on Cloud Service Discovery activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions".
References
|
defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | partial | T1538 | Cloud Service Dashboard |
Comments
This control may alert on suspicious management activity based on IP, time, anomalous behaviour, or PowerShell usage. Machine learning algorithms are used to reduce false positives. The following alerts may be generated: "Activity from a risky IP address", "Activity from infrequent country", "Impossible travel activity", "Suspicious management session using PowerShell detected", "Suspicious management session using an inactive account detected", "Suspicious management session using Azure portal detected".
References
|
defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | partial | T1562.001 | Disable or Modify Tools |
Comments
The following alerts are available for Windows Defender security features being disabled but none for third party security tools: "Antimalware broad files exclusion in your virtual machine", "Antimalware disabled and code execution in your virtual machine", "Antimalware disabled in your virtual machine", "Antimalware file exclusion and code execution in your virtual machine", "Antimalware file exclusion in your virtual machine", "Antimalware real-time protection was disabled in your virtual machine", "Antimalware real-time protection was disabled temporarily in your virtual machine", "Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine", "Antimalware temporarily disabled in your virtual machine", "Antimalware unusual file exclusion in your virtual machine".
References
|
defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | partial | T1580 | Cloud Infrastructure Discovery |
Comments
This control may alert on Cloud Infrastructure Discovery activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
References
|
just-in-time_vm_access | Microsoft Defender for Cloud: Just-in-Time VM Access | protect | minimal | T1190 | Exploit Public-Facing Application |
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at exploitation of a public-facing application unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured. The score is minimal, since this control only applies to specific applications requiring credentialed access, as opposed to a public webserver
References
|
just-in-time_vm_access | Microsoft Defender for Cloud: Just-in-Time VM Access | protect | significant | T1110 | Brute Force |
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
|
just-in-time_vm_access | Microsoft Defender for Cloud: Just-in-Time VM Access | protect | significant | T1110.001 | Password Guessing |
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
|
just-in-time_vm_access | Microsoft Defender for Cloud: Just-in-Time VM Access | protect | significant | T1110.003 | Password Spraying |
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
|
just-in-time_vm_access | Microsoft Defender for Cloud: Just-in-Time VM Access | protect | significant | T1110.004 | Credential Stuffing |
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
|
just-in-time_vm_access | Microsoft Defender for Cloud: Just-in-Time VM Access | protect | significant | T1133 | External Remote Services |
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at utilizing external remote services, such as RDP or a VPN, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
|
just-in-time_vm_access | Microsoft Defender for Cloud: Just-in-Time VM Access | protect | significant | T1548.005 | Temporary Elevated Cloud Access |
Comments
This control may mitigate unauthorized elevated cloud access.
References
|
just-in-time_vm_access | Microsoft Defender for Cloud: Just-in-Time VM Access | protect | significant | T1651 | Cloud Administration Command |
Comments
This capability can protect against unauthorized cloud administration.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | detect | minimal | T1027 | Obfuscated Files or Information |
Comments
This control can detect file obfuscation.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | detect | minimal | T1027.002 | Software Packing |
Comments
This control may detect malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | detect | minimal | T1105 | Ingress Tool Transfer |
Comments
This control may scan created files for malware. This control is dependent on a signature being available.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | detect | minimal | T1204.002 | Malicious File |
Comments
This control monitors activity in cloud services and on virtual machines to detect malware execution. This is dependent on a signature being available.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | detect | minimal | T1566 | Phishing |
Comments
This control can detect phishing.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | minimal | T1027 | Obfuscated Files or Information |
Comments
This control can prevent file obfuscation.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | minimal | T1027.002 | Software Packing |
Comments
This control may quarantine and/or delete malware that has been packed by well known software packing utilities. These utilities can provide signatures that apply to a variety of malware.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | minimal | T1105 | Ingress Tool Transfer |
Comments
This control may scan created files for malware and proceed to quarantine and/or delete the file. This control is dependent on a signature being available.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | minimal | T1204 | User Execution |
Comments
This control can protect against user execution.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | minimal | T1204.002 | Malicious File |
Comments
This control monitors activity in cloud services and on virtual machines to block malware execution. This is dependent on a signature being available.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | minimal | T1566 | Phishing |
Comments
This control can protect against phishing.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | minimal | T1566.001 | Spearphishing Attachment |
Comments
This control may quarantine and/or delete any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | detect | partial | T1566.001 | Spearphishing Attachment |
Comments
This control may detect any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | partial | T1027.006 | HTML Smuggling |
Comments
This control can protect against HTML smuggling.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | partial | T1027.009 | Embedded Payloads |
Comments
This control can protect against embedded payloads.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | partial | T1027.010 | Command Obfuscation |
Comments
This control can protect against command obfuscation attacks.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | partial | T1027.011 | Fileless Storage |
Comments
This control can protect against fileless storage attacks.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | partial | T1027.012 | LNK Icon Smuggling |
Comments
This control can protect against LNK icon smuggling.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | partial | T1027.013 | Encrypted/Encoded File |
Comments
This control can protect against obsfucation via encrypted/encoded files.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | partial | T1027.014 | Polymorphic Code |
Comments
This control can protect against obsfucation via polymorphic code.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | protect | partial | T1036.008 | Masquerade File Type |
Comments
This control can protect from malware.
References
|
defender_for_apis | Microsoft Defender for Cloud: Microsoft Defender for APIs | detect | partial | T1059.009 | Cloud API |
Comments
This control can detect when anomalous parameters are passed to a cloud API that could indicate abuse of a command and scripting interpreter.
References
|
defender_for_apis | Microsoft Defender for Cloud: Microsoft Defender for APIs | detect | significant | T1552.007 | Container API |
Comments
This capability can detect anomalous usage of APIs.
References
|
defender_for_apis | Microsoft Defender for Cloud: Microsoft Defender for APIs | protect | significant | T1552.007 | Container API |
Comments
This capability can support configuration of APIs to protect against access to unsecured credentials.
References
|
defender_for_apis | Microsoft Defender for Cloud: Microsoft Defender for APIs | protect | partial | T1555 | Credentials from Password Stores |
Comments
This control can protect APIs from adversaries attempting to access credentials.
References
|
vulnerability_management | Microsoft Defender for Cloud: Vulnerability Management | protect | partial | T1068 | Exploitation for Privilege Escalation |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
vulnerability_management | Microsoft Defender for Cloud: Vulnerability Management | protect | partial | T1189 | Drive-by Compromise |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
vulnerability_management | Microsoft Defender for Cloud: Vulnerability Management | protect | partial | T1190 | Exploit Public-Facing Application |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
vulnerability_management | Microsoft Defender for Cloud: Vulnerability Management | protect | partial | T1203 | Exploitation for Client Execution |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
vulnerability_management | Microsoft Defender for Cloud: Vulnerability Management | protect | partial | T1210 | Exploitation of Remote Services |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
vulnerability_management | Microsoft Defender for Cloud: Vulnerability Management | protect | partial | T1211 | Exploitation for Defense Evasion |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|
vulnerability_management | Microsoft Defender for Cloud: Vulnerability Management | protect | partial | T1212 | Exploitation for Credential Access |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|