| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| azure_ad_privileged_identity_management | Azure AD Privileged Identity Management | protect | minimal | T1078 | Valid Accounts |
Comments
This control only provides protection for one of this technique's sub-techniques while not providing any protection for the remaining and therefore its coverage score is Minimal, resulting in a Minimal score.
References
|
| azure_ad_privileged_identity_management | Azure AD Privileged Identity Management | protect | partial | T1078.004 | Cloud Accounts |
Comments
This control's Access Review feature supports scheduling a routine review of cloud account permission levels to look for those that could allow an adversary to gain wide access. This information can then be used to validate if such access is required and identify which (privileged) accounts should be monitored closely. This reduces the availability of valid accounts to adversaries. This review would normally be scheduled periodically, at most weekly, and therefore its temporal score is Partial.
References
|
| azure_ad_privileged_identity_management | Azure AD Privileged Identity Management | protect | partial | T1098 | Account Manipulation |
Comments
This control provides significant protection for some of this technique's sub-techniques while not providing any protection for others, resulting in a Partial score.
References
|
| azure_ad_privileged_identity_management | Azure AD Privileged Identity Management | detect | minimal | T1098 | Account Manipulation |
Comments
This control only provides detection for one of this technique's sub-techniques while not providing any detection for the remaining and therefore its coverage score is Minimal, resulting in a Minimal score.
References
|
| azure_ad_privileged_identity_management | Azure AD Privileged Identity Management | protect | significant | T1098.003 | Add Office 365 Global Administrator Role |
Comments
This control can require MFA to be triggered when the Global Administrator role is assigned to an account or when the role is activated by a user.
References
|
| azure_ad_privileged_identity_management | Azure AD Privileged Identity Management | detect | significant | T1098.003 | Add Office 365 Global Administrator Role |
Comments
This control can notify administrators whenever the Global Administrator role is assigned to an account and can therefore be used to detect the execution of this sub-technique. Assigning the Global Administrator role to an account is an infrequent operation and as a result, the false positive rate should be minimal.
References
|
| azure_ad_privileged_identity_management | Azure AD Privileged Identity Management | protect | significant | T1098.001 | Additional Cloud Credentials |
Comments
Privileged roles such as the Application Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique. In addition these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface.
References
|
| azure_ad_privileged_identity_management | Azure AD Privileged Identity Management | protect | minimal | T1136 | Create Account |
Comments
This control only provides protection for one of this technique's sub-techniques while not providing any detection for the remaining and therefore its coverage score is Minimal, resulting in a Minimal score.
References
|
| azure_ad_privileged_identity_management | Azure AD Privileged Identity Management | protect | significant | T1136.003 | Cloud Account |
Comments
Privileged roles such as the User Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique. In addition, these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface.
References
|