| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| adaptive_application_controls | Adaptive Application Controls | detect | partial | T1204 | User Execution |
Comments
This control only provides detection for one of this technique's sub-techniques while not providing any detection capability for its other sub-technique, and therefore its coverage score is Partial, resulting in a Partial score.
References
|
| adaptive_application_controls | Adaptive Application Controls | detect | partial | T1204.002 | Malicious File |
Comments
Once this control is activated, it generates alerts for any executable that has been run and is not included in an allow list. There is a significant potential for false positives from new non-malicious executables, and events are calculated once every twelve hours, so its temporal score is Partial.
References
|
| adaptive_application_controls | Adaptive Application Controls | detect | partial | T1036 | Masquerading |
Comments
This control provides detection for some of this technique's sub-techniques and procedure examples and therefore its coverage score is Partial, resulting in a Partial score. Its detection occurs once every twelve hours, so its temporal score is also Partial.
References
|
| adaptive_application_controls | Adaptive Application Controls | detect | partial | T1036.005 | Match Legitimate Name or Location |
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.
References
|
| adaptive_application_controls | Adaptive Application Controls | detect | partial | T1036.006 | Space after Filename |
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Malicious files of this type would be unlikely to evade detection from any form of allow list. Events are calculated once every twelve hours, so its temporal score is Partial.
References
|
| adaptive_application_controls | Adaptive Application Controls | detect | partial | T1036.001 | Invalid Code Signature |
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Because signatures generated via this technique are not valid, these malicious executables would be detected via any form of allow list, including publisher-based. Events are calculated once every twelve hours, so its temporal score is Partial.
References
|
| adaptive_application_controls | Adaptive Application Controls | detect | minimal | T1553 | Subvert Trust Controls |
Comments
This control only provides detection for one of this technique's sub-techniques while not providing any detection capability for the remaining sub-techniques, and therefore its coverage score is Minimal, resulting in a Minimal score.
References
|
| adaptive_application_controls | Adaptive Application Controls | detect | partial | T1553.002 | Code Signing |
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While publisher-based allow lists may fail to detect malicious executables with valid signatures, hash and path-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.
References
|
| adaptive_application_controls | Adaptive Application Controls | detect | partial | T1554 | Compromise Client Software Binary |
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While name and publisher-based allow lists may fail to detect malicious modifications to executable client binaries, hash-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.
References
|