| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | minimal | T1542 | Pre-OS Boot |
Comments
This control can identify anomalous traffic related to one of its sub-techniques (TFTP boot).
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021 | Remote Services |
Comments
This control can detect anomalous traffic or attempts related to network security group (NSG) for remote services.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.001 | Remote Desktop Protocol |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.002 | SMB/Windows Admin Shares |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.003 | Distributed Component Object Model |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.004 | SSH |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.005 | VNC |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.006 | Windows Remote Management |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.007 | Cloud Services |
Comments
This control can detect anomalous network traffic associated with abuse of remote cloud services.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1021.008 | Direct Cloud VM Connections |
Comments
This control can detect direct cloud VM connections.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1048 | Exfiltration Over Alternative Protocol |
Comments
This control can detect anomalous traffic with respect to specific protocols/ports.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This control can identify anomalous traffic with respect specific ports (though it can't identify presence or lack of encryption).
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1071 | Application Layer Protocol |
Comments
This control can identify anomalous traffic with respect to NSG and application layer protocols.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1071.002 | File Transfer Protocols |
Comments
This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1071.003 | Mail Protocols |
Comments
This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1071.004 | DNS |
Comments
This control can detect anomalous application protocol traffic with respect to network security group (NSG) (though web traffic would be typically too commonplace for this control to be useful).
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1071.005 | Publish/Subscribe Protocols |
Comments
This control can detect anomalous application protocol traffic related to this technique.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1072 | Software Deployment Tools |
Comments
This control can detect anomalous traffic with respect to critical systems and software deployment ports.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1090 | Proxy |
Comments
This control can detect anomalous traffic between systems and external networks.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1090.001 | Internal Proxy |
Comments
This control can detect abuse of internal proxies.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1090.002 | External Proxy |
Comments
This control can detect abuse of external proxies.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1090.003 | Multi-hop Proxy |
Comments
This control can detect abuse of multi-hop proxies.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1133 | External Remote Services |
Comments
This control can identify anomalous access to external remote services.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1189 | Drive-by Compromise |
Comments
This capability can detect suspicious script execution over a network.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1190 | Exploit Public-Facing Application |
Comments
This control can detect anomalous traffic to and from externally facing systems with respect to network security group (NSG) policy.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1199 | Trusted Relationship |
Comments
This control can be used to gain insight into normal traffic from trusted third parties which can then be used to detect anomalous traffic that may be indicative of a threat.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1204 | User Execution |
Comments
This control can detect network traffic associated with this technique.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1219 | Remote Access Software |
Comments
This control can detect network traffic associated with this technique.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1496.002 | Bandwidth Hijacking |
Comments
This capability can detect anomalous network traffic indicative of bandwidth hijacking.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1499 | Endpoint Denial of Service |
Comments
This control can identify volumetric and multi-sourced denial-of-service attacks.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1499.001 | OS Exhaustion Flood |
Comments
This control can detect endpoint denial of service attacks.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1499.002 | Service Exhaustion Flood |
Comments
This control can detect endpoint denial of service attacks.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1499.003 | Application Exhaustion Flood |
Comments
This control can detect endpoint denial of service attacks.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1542.005 | TFTP Boot |
Comments
This control can be used to identify anomalous TFTP boot traffic.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1563 | Remote Service Session Hijacking |
Comments
This control can be used to identify anomalous traffic related to RDP and SSH sessions or blocked attempts to access these management ports.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1563.001 | SSH Hijacking |
Comments
This control can detect SSH hijacking.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1563.002 | RDP Hijacking |
Comments
This control can detect RDP hijacking.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1602 | Data from Configuration Repository |
Comments
This control can identify anomalous traffic with respect to configuration repositories or identified configuration management ports.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1602.001 | SNMP (MIB Dump) |
Comments
This control can detect collection from configuration repositories.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | partial | T1602.002 | Network Device Configuration Dump |
Comments
This control can detect collection from configuration repositories.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | significant | T1046 | Network Service Discovery |
Comments
This control can detect network service scanning/discovery activity.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | detect | significant | T1571 | Non-Standard Port |
Comments
This control can identify anomalous traffic that utilizes non-standard application ports.
References
|