| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1040 | Network Sniffing |
Comments
This control's recommendations related to enforcing the usage of the secure versions of the HTTP and FTP protocols (HTTPS and FTPS) can lead to encrypting traffic which reduces the ability for an adversary to gather sensitive data via network sniffing.
This also applies to the "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", "Enforce SSL connection should be enabled for MySQL database servers", "Enforce SSL connection should be enabled for PostgreSQL database servers", "Only secure connections to your Redis Cache should be enabled" and "Secure transfer to storage accounts should be enabled" recommendations for their respective protocols.
The "Usage of host networking and ports should be restricted" recommendation for Kubernetes clusters can also lead to mitigating this technique.
These recommendations are limited to specific technologies on the platform and therefore its coverage score is Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1190 | Exploit Public-Facing Application |
Comments
This control's CORS related recommendations can help lead to hardened web applications. This can reduce the likelihood of an application being exploited to reveal sensitive data that can lead to the compromise of an environment.
Likewise this control's recommendations related to keeping Java/PHP up to date for API/Function/Web apps can lead to hardening the public facing content that uses these runtimes.
This control's recommendations related to disabling Public network access for Azure databases can lead to reducing the exposure of resources to the public Internet and thereby reduce the attack surface.
These recommendations are limited to specific technologies (Java, PHP and CORS, SQL DBs) and therefore provide Minimal coverage leading to a Minimal score.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1110 | Brute Force |
Comments
This control's "Authentication to Linux machines should require SSH keys" recommendation can lead to obviating SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1110.001 | Password Guessing |
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1110.003 | Password Spraying |
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1110.004 | Credential Stuffing |
Comments
This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1542 | Pre-OS Boot |
Comments
This control provides recommendations for enabling Secure Boot of Linux VMs that can mitigate a few of the sub-techniques of this technique. Because this is a recommendation and only limited to a few sub-techniques of this technique, its assessed score is Partial.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1542.001 | System Firmware |
Comments
This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1542.003 | Bootkit |
Comments
This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1499 | Endpoint Denial of Service |
Comments
This control provides recommendations for limiting the CPU and memory resources consumed by a container to minimize resource exhaustion attacks. Because this control only covers one sub-technique of this technique, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1499.001 | OS Exhaustion Flood |
Comments
This control's "Container CPU and memory limits should be enforced" recommendation can lead to preventing resource exhaustion attacks by recommending enforcing limits for containers to ensure the runtime prevents the container from using more than the configured resource limit. Because this is a recommendation, its score is capped at Partial.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1525 | Implant Container Image |
Comments
This control's "Container images should be deployed from trusted registries only", "Container registries should not allow unrestricted network access" and "Container registries should use private link" recommendations can lead to ensuring that container images are only loaded from trusted registries thereby mitigating this technique.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1068 | Exploitation for Privilege Escalation |
Comments
This control's "Container with privilege escalation should be avoided", "Least privileged Linux capabilities should be enforced for containers", "Privileged containers should be avoided", "Running containers as root user should be avoided" and "Containers sharing sensitive host namespaces should be avoided" recommendations can make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities. Because this is a recommendation, the assessed score has been capped at Partial.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1098 | Account Manipulation |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can prevent modifying the ssh_authorized keys file. Because it is a recommendation and limited to only one sub-technique, its score is Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1098.004 | SSH Authorized Keys |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of a Kubernetes container's file system which can mitigate this technique. Because this recommendation is specific to Kubernetes containers, its score is Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1554 | Compromise Client Software Binary |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of binaries in Kubernetes containers thereby mitigating this technique. Because this is a recommendation, its score is capped at Partial.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1136 | Create Account |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1136.001 | Local Account |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing system files from being modified in Kubernetes containers thereby mitigating this sub-technique since adding an account (on Linux) requires modifying system files. Because this is a recommendation, its score is capped at Partial.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1543 | Create or Modify System Process |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1543.002 | Systemd Service |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of systemd service files in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1546 | Event Triggered Execution |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1546.004 | .bash_profile and .bashrc |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of the file system in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1505 | Server Software Component |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1505.003 | Web Shell |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modifications to the file system in Kubernetes containers which can mitigate adversaries installing web shells. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1222 | File and Directory Permissions Modification |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1222.002 | Linux and Mac File and Directory Permissions Modification |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the modification of the file system permissions in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1564 | Hide Artifacts |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate some of the sub-techniques of this technique. Due to its partial coverage and Minimal score assessed for its sub-techniques, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1564.001 | Hidden Files and Directories |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1564.005 | Hidden File System |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1564.006 | Run Virtual Instance |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1053 | Scheduled Task/Job |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a few of the sub-techniques of this technique. Due to its Minimal coverage, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1053.003 | Cron |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1053.006 | Systemd Timers |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1556 | Modify Authentication Process |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-techniques of this technique. Due to it being a recommendation and providing minimal coverage, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1556.003 | Pluggable Authentication Modules |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing this sub-technique which often modifies Pluggable Authentication Modules (PAM) components in the file system. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1080 | Taint Shared Content |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" and "Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers" recommendations can mitigate this technique. Due to it being a recommendation, its score is capped at Partial.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1074 | Data Staged |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1074.001 | Local Data Staging |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1485 | Data Destruction |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1486 | Data Encrypted for Impact |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1565 | Data Manipulation |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation and mitigating only one sub-technique, its score is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1565.001 | Stored Data Manipulation |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem.
Likewise this control's recommendations related to using customer-managed keys to encrypt data at rest and enabling transparent data encryption for SQL databases can mitigate this sub-technique by reducing an adversary's ability to perform tailored data modifications.
Due to it being a recommendation, its score is capped at Partial.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1078 | Valid Accounts |
Comments
This control's recommendations about removing deprecated and external accounts with sensitive permissions from your subscription can lead to mitigating the Cloud Accounts sub-technique of this technique. Because this is a recommendation and has low coverage, it is assessed as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | minimal | T1078.004 | Cloud Accounts |
Comments
This control's "Deprecated accounts should be removed from your subscription" and "Deprecated accounts with owner permissions should be removed from your subscription" recommendation can lead to removing accounts that should not be utilized from your subscriptions thereby denying adversaries the usage of these accounts to find ways to access your data without being noticed.
Likewise, the recommendations related to External account permissions can also mitigate this sub-technique.
Because these are recommendations and only limited to deprecated and external accounts, this is scored as Minimal.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | protect | partial | T1133 | External Remote Services |
Comments
This control's "Management ports should be closed on your virtual machines" recommendation can lead to reducing the attack surface of your Azure VMs by recommending closing management ports. Because this is a recommendation, its score is limited to Partial.
References
|