| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| defender_for_containers | Microsoft Defender for Containers | protect | minimal | T1068 | Exploitation for Privilege Escalation |
Comments
This control may provide recommendations to avoid privileged containers and running containers as root.
References
|
| defender_for_containers | Microsoft Defender for Containers | protect | minimal | T1190 | Exploit Public-Facing Application |
Comments
This control may provide provide information about vulnerabilities within container images. The limited scope of containers and registries that are applicable to this control contribute to the lower score.
References
|
| defender_for_containers | Microsoft Defender for Containers | detect | partial | T1053.007 | Container Orchestration Job |
Comments
This control can detect when containers are created.
References
|
| defender_for_containers | Microsoft Defender for Containers | detect | partial | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on detection of new privileged containers and high privilege roles.
References
|
| defender_for_containers | Microsoft Defender for Containers | detect | partial | T1070 | Indicator Removal |
Comments
This control may alert on deletion of Kubernetes events. Attackers might delete those events for hiding their operations in the cluster. There is no relevant sub-technique for this control but the parent applies.
References
|
| defender_for_containers | Microsoft Defender for Containers | detect | partial | T1098.006 | Additional Container Cluster Roles |
Comments
This control can detect when changes are made to containers that indicate account manipulation.
References
|
| defender_for_containers | Microsoft Defender for Containers | detect | partial | T1204 | User Execution |
Comments
This control can detect container behavior associated with this technique.
References
|
| defender_for_containers | Microsoft Defender for Containers | detect | partial | T1204.003 | Malicious Image |
Comments
This capability can detect when containers are created or started.
References
|
| defender_for_containers | Microsoft Defender for Containers | detect | partial | T1525 | Implant Internal Image |
Comments
This control may scan and alert on import or creation of container images with known vulnerabilities or a possible expanded surface area for exploitation.
References
|
| defender_for_containers | Microsoft Defender for Containers | detect | partial | T1525 | Implant Internal Image |
Comments
This control may alert on containers with sensitive volume mounts, unneeded privileges, or running an image with digital currency mining software.
References
|
| defender_for_containers | Microsoft Defender for Containers | detect | partial | T1611 | Escape to Host |
Comments
This capability can detect escape to host.
References
|
| defender_for_containers | Microsoft Defender for Containers | detect | partial | T1612 | Build Image on Host |
Comments
This capability can detect building a container image on the host.
References
|
| defender_for_containers | Microsoft Defender for Containers | protect | partial | T1190 | Exploit Public-Facing Application |
Comments
This control may alert on publicly exposed Kubernetes services. This may provide context on services that should be patched or hardened for public access.
References
|
| defender_for_containers | Microsoft Defender for Containers | protect | partial | T1525 | Implant Internal Image |
Comments
This control may prevent adversaries from implanting malicious container images through fine grained permissions and use of container image tag signing. Image tag signing allows for verifiable container images that have been signed with legitimate keys.
References
|
| defender_for_containers | Microsoft Defender for Containers | protect | partial | T1552.007 | Container API |
Comments
This capability can be integrated with others to secure credentials.
References
|
| defender_for_containers | Microsoft Defender for Containers | protect | partial | T1611 | Escape to Host |
Comments
This capability can protect against escape to host attacks.
References
|
| defender_for_containers | Microsoft Defender for Containers | protect | partial | T1612 | Build Image on Host |
Comments
This capability can protect against building a container image on the host.
References
|
| defender_for_containers | Microsoft Defender for Containers | detect | significant | T1609 | Container Administration Command |
Comments
This capability can detect abuse of container administration services.
References
|
| defender_for_containers | Microsoft Defender for Containers | detect | significant | T1610 | Deploy Container |
Comments
This capability can detect unauthorized deployment of containers.
References
|
| defender_for_containers | Microsoft Defender for Containers | detect | significant | T1613 | Container and Resource Discovery |
Comments
This capability can detect container discovery.
References
|
| defender_for_containers | Microsoft Defender for Containers | detect | significant | T1619 | Cloud Storage Object Discovery |
Comments
This capability can detect cloud storage object (blob) discovery.
References
|
| defender_for_containers | Microsoft Defender for Containers | protect | significant | T1609 | Container Administration Command |
Comments
This capability can protect against abuse of container administration services.
References
|
| defender_for_containers | Microsoft Defender for Containers | protect | significant | T1610 | Deploy Container |
Comments
This capability can protect against unauthorized deployment of containers.
References
|
| defender_for_containers | Microsoft Defender for Containers | protect | significant | T1613 | Container and Resource Discovery |
Comments
This capability can protect against container discovery.
References
|
| defender_for_containers | Microsoft Defender for Containers | protect | significant | T1619 | Cloud Storage Object Discovery |
Comments
This capability can protect against cloud object storage (blob) discovery.
References
|
| Capability ID | Capability Name | Number of Mappings |
|---|---|---|
| defender_for_containers | Microsoft Defender for Containers | 25 |