| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1003 | OS Credential Dumping |
Comments
This control only addresses a minority of this technique's procedure examples and one of its sub-techniques resulting in an overall Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1003.001 | LSASS Memory |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, so score is Minimal.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1005 | Data from Local System |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Exfiltration modules on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1012 | Query Registry |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1027 | Obfuscated Files or Information |
Comments
This control only covers one platform and procedure for one of this technique's sub-techniques, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1027.005 | Indicator Removal from Tools |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Find-AVSignature AntivirusBypass module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1036 | Masquerading |
Comments
This control only addresses a minority of this technique's procedure examples and one of its sub-techniques resulting in an overall Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1047 | Windows Management Instrumentation |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Invoke-WmiCommand module, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1053 | Scheduled Task/Job |
Comments
This control does not address this technique's procedure examples and only one of its sub-techniques resulting in an overall Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1053.005 | Scheduled Task |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the New-UserPersistenceOption Persistence module on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1056 | Input Capture |
Comments
This control only covers one platform and procedure for one of this technique's sub-techniques, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1056.001 | Keylogging |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-Keystrokes Exfiltration module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1057 | Process Discovery |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-ProcessTokenPrivilege PowerUp module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1059 | Command and Scripting Interpreter |
Comments
This control provides minimal detection for this technique's procedure examples and only two of its sub-techniques (only certain specific sub-technique behaviors), resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1059.001 | PowerShell |
Comments
This control monitors for execution of known malicious PowerShell PowerSploit cmdlets. Temporal factor is uknown.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1059.004 | Unix Shell |
Comments
This control monitors host data for potential reverse shells used for command and control. Temporal factor is unknown.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1087 | Account Discovery |
Comments
This control only covers one platform and procedure for one of this technique's sub-techniques, and minimal coverage of its procedure examples resulting in a Minimal overall score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1087.001 | Local Account |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-ProcessTokenGroup module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1113 | Screen Capture |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-TimedScreenshot module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1123 | Audio Capture |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-MicrophoneAudio module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1134 | Access Token Manipulation |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Invoke-TokenManipulation module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1204 | User Execution |
Comments
This control only provides meaningful detection for one of the technique's two sub-techniques, and the temporal factor is unknown, resulting in a score of Minimal.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1204.001 | Malicious Link |
Comments
This control monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin, all of which are relevant for detecting users' interactions with malicious download links, but malicious links which exploit browser vulnerabilities for execution are unlikely to be detected, and temporal factor is unknown, resulting in a score of Minimal.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1482 | Domain Trust Discovery |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-NetDomainTrust and Get-NetForestTrust modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1543 | Create or Modify System Process |
Comments
This control only addresses a minority of this technique's procedure examples and one of its sub-techniques resulting in an overall Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1543.003 | Windows Service |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Privesc-PowerUp modules on Windows, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1547 | Boot or Logon Autostart Execution |
Comments
This control only covers one platform and procedure for two of this technique's many sub-techniques, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1547.001 | Registry Run Keys / Startup Folder |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via New-UserPersistenceOption on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1547.005 | Security Support Provider |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Install-SSP module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1552 | Unsecured Credentials |
Comments
This control does not address this technique's procedure example and provides minimal detection for some of its sub-techniques resulting in an overall Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1552.002 | Credentials in Registry |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and RegistryAutoLogon modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1552.006 | Group Policy Preferences |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1555 | Credentials from Password Stores |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the PowerSploit Exfiltration modules on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1558 | Steal or Forge Kerberos Tickets |
Comments
This control only covers one procedure for one of this technique's sub-techniques, resulting in an overall Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1558.003 | Kerberoasting |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Invoke-Kerberoast module, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1574 | Hijack Execution Flow |
Comments
This control only addresses a minority of this technique's procedure examples and provides minimal detection of some of its sub-techniques resulting in an overall Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1574.001 | DLL Search Order Hijacking |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1574.007 | Path Interception by PATH Environment Variable |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1574.008 | Path Interception by Search Order Hijacking |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1574.009 | Path Interception by Unquoted Path |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of these sub-techniques via the Privesc-PowerUp modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | minimal | T1595 | Active Scanning |
Comments
This control only provides detection for one of its two sub-techniques, resulting in an overall Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | minimal | T1566 | Phishing |
Comments
This control only provides (minimal) protection for one of the technique's sub-techniques, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | minimal | T1566.002 | Spearphishing Link |
Comments
This control monitors for known phishing links on the Azure App Services website and generates alerts if they are detected, potentially preventing their access by users. This is a very specific avenue, only covers known links, and temporal factor is unknown, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | minimal | T1584 | Compromise Infrastructure |
Comments
This control only addresses one of the technique's sub-techniques, resulting in a score of Minimal.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1036.005 | Match Legitimate Name or Location |
Comments
This control analyzes host data to detect processes with suspicious names, including those named in a way that is suggestive of attacker tools that try to hide in plain sight. False positives are probable, and temporal factor is unknown.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055 | Process Injection |
Comments
This control's Fileless Attack Detection covers all relevant sub-techniques. The control also specifically detects process hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.001 | Dynamic-link Library Injection |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.002 | Portable Executable Injection |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.003 | Thread Execution Hijacking |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.004 | Asynchronous Procedure Call |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.005 | Thread Local Storage |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.008 | Ptrace System Calls |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.009 | Proc Memory |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.011 | Extra Window Memory Injection |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.012 | Process Hollowing |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.013 | Process Doppelgänging |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1055.014 | VDSO Hijacking |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1068 | Exploitation for Privilege Escalation |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1105 | Ingress Tool Transfer |
Comments
This control detects binary downloads via certutil, monitors for FTP access from IP addresses found in threat intelligence, monitors for references to suspicious domain names and file downloads from known malware sources, and monitors processes for downloads from raw-data websites like Pastebin. Temporal factor is unknown.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1140 | Deobfuscate/Decode Files or Information |
Comments
This control analyzes host data to detect base-64 encoded executables within command sequences. It also monitors for use of certutil to decode executables. Temporal factor is unknown.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1189 | Drive-by Compromise |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected into browser or other process memory as part of a drive-by attack. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1190 | Exploit Public-Facing Application |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected to exploit a vulnerability in a public-facing application. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1203 | Exploitation for Client Execution |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1210 | Exploitation of Remote Services |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode injected to exploit a vulnerability in an exposed service. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1211 | Exploitation for Defense Evasion |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1212 | Exploitation for Credential Access |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1496 | Resource Hijacking |
Comments
This control detects file downloads associated with digital currency mining as well as host data related to process and command execution associated with mining. It also includes fileless attack detection, which specifically targets crypto mining activity. Temporal factor is unknown.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1496.001 | Compute Hijacking |
Comments
This control detects file downloads associated with digital currency mining as well as host data related to process and command execution associated with mining. It also includes fileless attack detection, which specifically targets crypto mining activity. Temporal factor is unknown.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1496.004 | Cloud Service Hijacking |
Comments
This control detects file downloads associated with digital currency mining as well as host data related to process and command execution associated with mining. It also includes fileless attack detection, which specifically targets crypto mining activity. Temporal factor is unknown.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1559 | Inter-Process Communication |
Comments
This control's Fileless Attack Detection covers the command execution aspects of both of this technique's sub-techniques. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1559.001 | Component Object Model |
Comments
This control's Fileless Attack Detection identifies suspicious command execution within process memory. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1559.002 | Dynamic Data Exchange |
Comments
This control's Fileless Attack Detection identifies suspicious command execution within process memory. Detection is periodic at an unknown rate.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1594 | Search Victim-Owned Websites |
Comments
This control monitors for accesses of potentially sensitive web pages from source IP addresses whose access pattern resembles that of a web scanner or have not been logged before. Temporal factor is unknown.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1595.002 | Vulnerability Scanning |
Comments
This control monitors for web fingerprinting tools including nmap and Blind Elephant, as well as scanners looking for vulnerability in applications like Drupal, Joomla, and WordPress. Temporal factor is unknown.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1595.003 | Wordlist Scanning |
Comments
This control can protect web applications from active scanning by an adversary. Because this protection is specific to web applications (although frequent targets) and not other application types, it has been scored as Partial.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | detect | partial | T1620 | Reflective Code Loading |
Comments
This capability analyzes host data to detect processes with suspicious attributes, including those created anonymously.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | partial | T1027.006 | HTML Smuggling |
Comments
This control can protect against HTML smuggling.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | partial | T1027.007 | Dynamic API Resolution |
Comments
This control can protect against abuse of dynamic API resolution.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | partial | T1027.009 | Embedded Payloads |
Comments
This control can protect against embedded payloads.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | partial | T1027.010 | Command Obfuscation |
Comments
This control can protect against command obfuscation attacks.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | partial | T1027.013 | Encrypted/Encoded File |
Comments
This control can protect against obsfucation via encrypted/encoded files.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | partial | T1027.014 | Polymorphic Code |
Comments
This control can protect against obsfucation via polymorphic code.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | partial | T1648 | Serverless Execution |
Comments
This capability can protect against abuse of Azure Functions.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | protect | significant | T1584.001 | Domains |
Comments
Subdomain hijacking is a focus of this control, and its Dangling DNS detection alert feature is activated when an App Service website is decommissioned and its corresponding DNS entry is not deleted, allowing users to remove those entries before they can be leveraged by an adversary.
References
|
| Capability ID | Capability Name | Number of Mappings |
|---|---|---|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | 84 |