| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| azure_policy | Azure Policy | protect | partial | T1190 | Exploit Public-Facing Application |
Comments
This control may provide recommendations to restrict access to applications that are public facing and providing information on vulnerable applications.
References
|
| azure_policy | Azure Policy | protect | partial | T1133 | External Remote Services |
Comments
This control may provide recommendations to secure external remote services, such as restricting SSH access, enabling multi-factor authentication for VPN access, and auditing external remote services that are not necessary or updated.
References
|
| azure_policy | Azure Policy | protect | partial | T1590 | Gather Victim Network Information |
Comments
This control may provide recommendations to restrict access to cloud resources from public networks and to route traffic between resources through Azure. Recommendations are also provided to use private DNS zones. If these recommendations are implemented the visible network information should be reduced.
References
|
| azure_policy | Azure Policy | protect | partial | T1590.002 | DNS | |
| azure_policy | Azure Policy | protect | partial | T1590.004 | Network Topology | |
| azure_policy | Azure Policy | protect | partial | T1590.005 | IP Addresses | |
| azure_policy | Azure Policy | protect | partial | T1590.006 | Network Security Appliances | |
| azure_policy | Azure Policy | protect | minimal | T1078 | Valid Accounts | |
| azure_policy | Azure Policy | protect | minimal | T1078.004 | Cloud Accounts |
Comments
This control may provide recommendations to audit and restrict privileges on Azure cloud accounts. This control may provide information to reduce surface area for privileged access to Azure.
References
|
| azure_policy | Azure Policy | protect | minimal | T1098 | Account Manipulation | |
| azure_policy | Azure Policy | protect | minimal | T1098.001 | Additional Cloud Credentials |
Comments
This control may recommend removing deprecated accounts, reducing privileges, and enabling multi-factor authentication. This can reduce the amount of accounts available to be exploited and what could be done with those accounts.
References
|
| azure_policy | Azure Policy | detect | minimal | T1525 | Implant Container Image |
Comments
This control may provide recommendations to enable scanning and auditing of container images. This can provide information on images that have been added with high privileges or vulnerabilities.
References
|
| azure_policy | Azure Policy | protect | partial | T1535 | Unused/Unsupported Cloud Regions |
Comments
This control may provide recommendations to restrict the allowed locations your organization can specify when deploying resources or creating resource groups.
References
|
| azure_policy | Azure Policy | protect | minimal | T1505 | Server Software Component | |
| azure_policy | Azure Policy | protect | minimal | T1505.001 | SQL Stored Procedures |
Comments
This control may provide recommendations to enable other Azure controls that provide information on potentially exploitable SQL stored procedures. Recommendations to reduce unnecessary privileges from accounts and stored procedures can mitigate exploitable of this technique.
References
|
| azure_policy | Azure Policy | protect | minimal | T1068 | Exploitation for Privilege Escalation |
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
|
| azure_policy | Azure Policy | protect | minimal | T1211 | Exploitation for Defense Evasion |
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
|
| azure_policy | Azure Policy | protect | minimal | T1212 | Exploitation for Credential Access |
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
|
| azure_policy | Azure Policy | protect | minimal | T1203 | Exploitation for Client Execution |
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
|
| azure_policy | Azure Policy | protect | partial | T1110 | Brute Force | |
| azure_policy | Azure Policy | protect | partial | T1110.003 | Password Spraying |
Comments
This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.
References
|
| azure_policy | Azure Policy | protect | partial | T1110.001 | Password Guessing |
Comments
This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.
References
|
| azure_policy | Azure Policy | protect | partial | T1110.004 | Credential Stuffing |
Comments
This control may provide recommendations to implement multi-factor authentication, implement password security policies, and replacing password authentication with more secure authentication methods. This control can affect Azure, Azure cloud application, and endpoint credentials.
References
|
| azure_policy | Azure Policy | protect | partial | T1555 | Credentials from Password Stores |
Comments
This control may provide recommendations for auditing and hardening Azure Key Vault to prevent malicious access and segment key access.
References
|
| azure_policy | Azure Policy | protect | partial | T1040 | Network Sniffing |
Comments
This control may provide recommendations to enable various Azure services that route traffic through secure networks, segment all network traffic, and enable TLS encryption where available.
References
|
| azure_policy | Azure Policy | protect | partial | T1580 | Cloud Infrastructure Discovery |
Comments
This control may provide recommendations to enable Azure services that limit access to cloud infrastructure. Several Azure services and controls provide mitigations against cloud infrastructure discovery.
References
|
| azure_policy | Azure Policy | protect | partial | T1538 | Cloud Service Dashboard |
Comments
This control may provide recommendations to enable Azure services that limit access to Azure Resource Manager and other Azure dashboards. Several Azure services and controls provide mitigations against this technique.
References
|
| azure_policy | Azure Policy | protect | partial | T1526 | Cloud Service Discovery |
Comments
This control may provide recommendations to enable Azure services that limit access to cloud services. Several Azure services and controls provide mitigations against cloud service discovery.
References
|
| azure_policy | Azure Policy | protect | minimal | T1210 | Exploitation of Remote Services |
Comments
This control may provide recommendations to enable Azure security controls to harden remote services and reduce surface area for possible exploitation.
References
|
| azure_policy | Azure Policy | protect | minimal | T1021 | Remote Services | |
| azure_policy | Azure Policy | protect | minimal | T1021.001 | Remote Desktop Protocol |
Comments
This control may provide recommendations to restrict public access to Remote Desktop Protocol.
References
|
| azure_policy | Azure Policy | protect | minimal | T1021.004 | SSH |
Comments
This control may provide recommendations to restrict public SSH access and enable usage of SSH keys.
References
|
| azure_policy | Azure Policy | protect | partial | T1530 | Data from Cloud Storage Object |
Comments
This control may provide recommendations to enable Azure Defender for Storage and other security controls to prevent access to data from cloud storage objects.
References
|
| azure_policy | Azure Policy | protect | minimal | T1071 | Application Layer Protocol | |
| azure_policy | Azure Policy | protect | minimal | T1071.004 | DNS |
Comments
This control may provide recommendations to enable Azure Defender for DNS which can monitor DNS queries between Azure applications for malicious traffic.
References
|
| azure_policy | Azure Policy | protect | minimal | T1537 | Transfer Data to Cloud Account |
Comments
This control may provide recommendations to enable security controls that monitor and prevent malicious transfer of data to cloud accounts.
References
|
| azure_policy | Azure Policy | protect | minimal | T1485 | Data Destruction |
Comments
This control may provide recommendations to enable soft deletion and purge protection in Azure Key Vault. This can help mitigate against malicious deletion of keys and secrets stored within Key Vault.
References
|