| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | minimal | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on escalation attempts from Azure AD to Azure accounts by specific exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score. The following alerts may be generated: "PowerZure exploitation toolkit used to elevate access from Azure AD to Azure".
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | minimal | T1069 | Permission Groups Discovery |
Comments
This control may alert on Azure domain cloud groups discovery activity but may not provide alerts for other account types or undocumented exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | minimal | T1087 | Account Discovery |
Comments
This control may alert on Azure cloud account discovery activity but may not provide alerts for other account types or undocumented exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | minimal | T1555 | Credentials from Password Stores |
Comments
This control may alert on credential dumping from Azure Key Vaults, App Services Configurations, and Automation accounts by specific exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score. The following alerts may be generated: "MicroBurst exploitation toolkit used to extract secrets from your Azure key vaults", "MicroBurst exploitation toolkit used to extract keys to your storage accounts".
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | minimal | T1562 | Impair Defenses |
Comments
This control may alert on Windows Defender security features being disabled but does not alert on other security tools or logging being disabled or tampered with. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | partial | T1069.003 | Cloud Groups |
Comments
This control may alert on Permission Groups Discovery of Cloud Groups activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | partial | T1087.004 | Cloud Account |
Comments
This control may alert on Account Discovery of Cloud Accounts activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | partial | T1526 | Cloud Service Discovery |
Comments
This control may alert on Cloud Service Discovery activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions".
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | partial | T1538 | Cloud Service Dashboard |
Comments
This control may alert on suspicious management activity based on IP, time, anomalous behaviour, or PowerShell usage. Machine learning algorithms are used to reduce false positives. The following alerts may be generated: "Activity from a risky IP address", "Activity from infrequent country", "Impossible travel activity", "Suspicious management session using PowerShell detected", "Suspicious management session using an inactive account detected", "Suspicious management session using Azure portal detected".
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | partial | T1562.001 | Disable or Modify Tools |
Comments
The following alerts are available for Windows Defender security features being disabled but none for third party security tools: "Antimalware broad files exclusion in your virtual machine", "Antimalware disabled and code execution in your virtual machine", "Antimalware disabled in your virtual machine", "Antimalware file exclusion and code execution in your virtual machine", "Antimalware file exclusion in your virtual machine", "Antimalware real-time protection was disabled in your virtual machine", "Antimalware real-time protection was disabled temporarily in your virtual machine", "Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine", "Antimalware temporarily disabled in your virtual machine", "Antimalware unusual file exclusion in your virtual machine".
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | detect | partial | T1580 | Cloud Infrastructure Discovery |
Comments
This control may alert on Cloud Infrastructure Discovery activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
References
|