1. Home
  2. Mapping Frameworks
  3. Azure Home
  4. Azure Network Security Groups

Azure azure_network_security_groups

Azure Network Security Groups can be used to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, source and destination, port, and protocol can be specified.

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
azure_network_security_groups Azure Network Security Groups protect minimal T1542 Pre-OS Boot
Comments
Provides protection coverage for only one sub-technique partially (booting from remote devies ala TFTP boot) resulting in an overall score of Minimal.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1021 Remote Services
Comments
This control provides partial protection for all of its sub-techniques and procedure examples resulting in an overall score of Partial.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1021.001 Remote Desktop Protocol
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1021.002 SMB/Windows Admin Shares
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1021.003 Distributed Component Object Model
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1021.004 SSH
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1021.005 VNC
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1021.006 Windows Remote Management
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1021.007 Cloud Services
Comments
This control can protect against abuse of remote cloud services.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1021.008 Direct Cloud VM Connections
Comments
This control can protect against abuse of direct cloud VM connections.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1046 Network Service Discovery
Comments
This control can be used to restrict access to trusted networks.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1072 Software Deployment Tools
Comments
This control can be used to limit access to critical network systems such as software deployment tools.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1090 Proxy
Comments
This control can restrict ports and inter-system / inter-enclave connections as described by the Proxy related sub-techniques although it doesn't provide protection for domain-fronting. It furthermore provides partial protection of this technique's procedure examples resulting in an overall Partial score.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1090.001 Internal Proxy
Comments
This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1090.002 External Proxy
Comments
This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1090.003 Multi-hop Proxy
Comments
This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1095 Non-Application Layer Protocol
Comments
This control can be used to restrict access to trusted networks and protocols.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1133 External Remote Services
Comments
This control can be used to restrict direct access to remote service gateways and concentrators that typically accompany external remote services. This can be circumvented though if an adversary is able to compromise a trusted host and use it to access the external remote service. This results in an overall partial (coverage) score.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1199 Trusted Relationship
Comments
This control can isolate portions of network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1205 Traffic Signaling
Comments
This control provides partial protection for this technique's sub-techniques and procedure examples resulting in an overall Partial score. Other variations that trigger a special response, such as executing a malicous task are not mitigated by this control.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1210 Exploitation of Remote Services
Comments
This control can be used to restrict access to remote services to minimum necessary.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1219 Remote Access Software
Comments
This control can be used to restrict network communications to protect sensitive enclaves that may mitigate some of the procedure examples of this technique.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1482 Domain Trust Discovery
Comments
This control can be used to isolate sensitive domains to limit discovery.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1498 Network Denial of Service
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end network DOS attacks.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1499 Endpoint Denial of Service
Comments
This control provides partial protection for a majority of this control's sub-techinques and procedure examples resulting in overall score of Partial.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1499.001 OS Exhaustion Flood
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1499.002 Service Exhaustion Flood
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1499.003 Application Exhaustion Flood
Comments
This control can be used to restrict access to endpoints and thereby mitigate low-end DOS attacks.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1542.005 TFTP Boot
Comments
This control can be used to restrict clients to connecting (and therefore booting) from only trusted network resources.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1557 Adversary-in-the-Middle
Comments
This control can be used to limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce MiTM conditions.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1570 Lateral Tool Transfer
Comments
This control can be used to limit traffic between systems and enclaves to minimum necessary for example via a zero-trust strategy.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1602 Data from Configuration Repository
Comments
This control can limit attackers access to configuration repositories such as SNMP management stations, or to dumps of client configurations from common management ports.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect partial T1602.001 SNMP (MIB Dump)
Comments
Can limit access to client management interfaces or configuration databases
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1602.002 Network Device Configuration Dump
Comments
Can limit access to client management interfaces or configuration databases
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect partial T1659 Content Injection
Comments
This control can be used to limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce content injection conditions.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect significant T1048 Exfiltration Over Alternative Protocol
Comments
NSG can minimize alternative protocols allowed to communicate externally.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
azure_network_security_groups Azure Network Security Groups protect significant T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Comments
This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect significant T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Comments
This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect significant T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
Comments
This control can reduce the protocols available for data exfiltration. Temporal immediate, coverage substantial.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect significant T1205.001 Port Knocking
Comments
This control can be used to implement whitelist based network rules that can mitigate variations of this sub-techniques that result in opening closed ports for communication. Because this control is able to drop traffic before reaching a compromised host, it can effectively mitigate this port knocking sub-technique.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_security_groups Azure Network Security Groups protect significant T1496.002 Bandwidth Hijacking
Comments
This capability can be configured to limit bandwidth available to connections.
References
  1. https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
azure_network_security_groups Azure Network Security Groups protect significant T1571 Non-Standard Port
Comments
This control can restrict traffic to standard ports and protocols.
References
  1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
  3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality