Azure Azure AD Identity Secure Score Capability Group

All Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1110 Brute Force
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1110.001 Password Guessing
Comments
This control's "Require MFA for administrative roles" and "Ensure all users can complete multi-factor authentication for secure access" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted. This control's "Do not expire passwords" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. This control's "Enable policy to block legacy authentication" and "Stop legacy protocols communication" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication. This control's "Resolve unsecure account attributes" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking. Because these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial.
References
    azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1110.002 Password Cracking
    Comments
    This control's "Require MFA for administrative roles" and "Ensure all users can complete multi-factor authentication for secure access" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted. This control's "Do not expire passwords" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. This control's "Enable policy to block legacy authentication" and "Stop legacy protocols communication" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication. This control's "Resolve unsecure account attributes" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking. Because these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial.
    References
      azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1110.003 Password Spraying
      Comments
      This control's "Require MFA for administrative roles" and "Ensure all users can complete multi-factor authentication for secure access" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted. This control's "Do not expire passwords" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. This control's "Enable policy to block legacy authentication" and "Stop legacy protocols communication" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication. This control's "Resolve unsecure account attributes" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking. Because these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial.
      References
        azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1110.004 Credential Stuffing
        Comments
        This control's "Require MFA for administrative roles" and "Ensure all users can complete multi-factor authentication for secure access" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted. This control's "Do not expire passwords" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords. This control's "Enable policy to block legacy authentication" and "Stop legacy protocols communication" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication. This control's "Resolve unsecure account attributes" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking. Because these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial.
        References
          azure_ad_identity_secure_score Azure AD Identity Secure Score protect minimal T1078 Valid Accounts
          Comments
          This control provides recommendations that can lead to protecting against the malicious usage of valid cloud accounts but does not provide recommendations for the remaining sub-techniques Additionally, it provides limited protection for this technique's procedure examples. Consequently, its overall protection coverage score is minimal.
          References
          azure_ad_identity_secure_score Azure AD Identity Secure Score detect minimal T1078 Valid Accounts
          Comments
          This control provides recommendations that can lead to the detection of the malicious usage of valid cloud accounts but does not provide recommendations for the remaining sub-techniques Additionally, it provides limited detection for this technique's procedure examples. Consequently, its overall detection coverage score is minimal.
          References
          azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1078.004 Cloud Accounts
          Comments
          This control's "Require MFA for administrative roles" and "Ensure all users can complete multi-factor authentication for secure access" recommendations of MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted. See the mapping for MFA for more details. This control's "Use limited administrative roles" recommendation recommends reviewing and limiting the number of accounts with global admin privilege, reducing what an adversary can do with a compromised valid account. Because these are recommendations and do not actually enforce the protections, the assessed score is capped at Partial.
          References
            azure_ad_identity_secure_score Azure AD Identity Secure Score detect partial T1078.004 Cloud Accounts
            Comments
            This control's "Turn on sign-in risk policy" and "Turn on user risk policy" recommendations recommend enabling Azure AD Identity Protection which can lead to detecting adversary usage of valid accounts. See the mapping for Azure AD Identity Protection.
            References
              azure_ad_identity_secure_score Azure AD Identity Secure Score protect minimal T1078.002 Domain Accounts
              Comments
              This control's "Remove dormant accounts from sensitive groups" recommendation recommends reviewing dormant (domain) accounts from sensitive groups via an assessment report that can identify sensitive accounts that are dormant. Because these are recommendations and do not actually enforce the protections coupled with being limited to sensitive accounts, the assessed score is Minimal.
              References
                azure_ad_identity_secure_score Azure AD Identity Secure Score protect minimal T1078.003 Local Accounts
                Comments
                This control's "Protect and manage local admin passwords with Microsoft LAPS" recommendation recommends periodically running and reviewing the Microsoft LAPS usage report that identifies all Windows based devices not protected by Microsoft LAPS. This can help reduce the compromise of local administrator accounts. Because this is a recommendations and not actually enforced coupled with being limited to sensitive accounts, the assessed score is Minimal.
                References
                  azure_ad_identity_secure_score Azure AD Identity Secure Score protect minimal T1078.001 Default Accounts
                  Comments
                  This control's "Protect and manage local admin passwords with Microsoft LAPS" recommendation recommends periodically running and reviewing the Microsoft LAPS usage report that identifies all Windows based devices not protected by Microsoft LAPS. This can help reduce the compromise of local administrator accounts. Because this is a recommendations and not actually enforced coupled with being limited to sensitive accounts, the assessed score is Minimal.
                  References
                    azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1531 Account Access Removal
                    azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1528 Steal Application Access Token
                    Comments
                    This control's "Do not allow users to grant consent to unmanaged applications" recommendation can protect against an adversary constructing a malicious application designed to be granted access to resources with the target user's OAuth token by ensuring users can not be fooled into granting consent to the application. Due to this being a recommendation, its score is capped at Partial.
                    References
                    azure_ad_identity_secure_score Azure AD Identity Secure Score detect partial T1606 Forge Web Credentials
                    azure_ad_identity_secure_score Azure AD Identity Secure Score detect partial T1606.002 SAML Tokens
                    Comments
                    This control's "Turn on sign-in risk policy" and "Turn on user risk policy" recommendations recommend enabling Azure AD Identity Protection which can detect the malicious usage of SAML Tokens. This is a recommendation and therefore the score is capped at Partial.
                    References
                      azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1558 Steal or Forge Kerberos Tickets
                      azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1558.004 AS-REP Roasting
                      Comments
                      This control's "Resolve unsecure account attributes" recommendation can lead to detecting Active Directory accounts which do not require Kerberos preauthentication. Preauthentication offers protection against offline (Kerberos) Password Cracking. Because this is a recommendation its score is capped as Partial.
                      References
                        azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1558.001 Golden Ticket
                        Comments
                        This control's "Reduce lateral movement path risk to sensitive entities" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks that may result in an adversary acquiring a golden ticket. It recommends running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities such as the KRBTGT on the domain controller. Because this is a recommendation, its score has been capped as Partial.
                        References
                          azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1558.003 Kerberoasting
                          Comments
                          This control's "Modify unsecure Kerberos delegations to prevent impersonation" recommendation promotes running the "Unsecure Kerberos delegation" report that can identify accounts that have unsecure Kerberos delegation configured. Unsecured Kerberos delegation can lead to exposing account TGTs to more hosts resulting in an increased attack surface for Kerberoasting. Due to this control providing a recommendation its score is capped at Partial.
                          References
                            azure_ad_identity_secure_score Azure AD Identity Secure Score protect minimal T1552 Unsecured Credentials
                            Comments
                            This control's "Resolve unsecure account attributes" provides recommendations that can lead to strengthening how accounts are stored in Active Directory. This control provides recommendations specific to a few types of unsecured credentials (reversible and weakly encrypted credentials) while not providing recommendations for any other, resulting in a Minimal score.
                            References
                            azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1550 Use Alternate Authentication Material
                            azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1550.003 Pass the Ticket
                            Comments
                            This control's "Reduce lateral movement path risk to sensitive entities" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities. Because this is a recommendation, its score has been capped as Partial.
                            References
                              azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1550.002 Pass the Hash
                              Comments
                              This control's "Reduce lateral movement path risk to sensitive entities" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities. Because this is a recommendation, its score has been capped as Partial.
                              References
                                azure_ad_identity_secure_score Azure AD Identity Secure Score protect minimal T1040 Network Sniffing
                                Comments
                                This control's "Stop clear text credentials exposure" provides a recommendation to run the "Entities exposing credentials in clear text" assessment that monitors your traffic for any entities exposing credentials in clear text (via LDAP simple-bind). This assessment seems specific to LDAP simple-binds and coupled with the fact that it is a recommendation and is not enforced, results in a Minimal score.
                                References
                                azure_ad_identity_secure_score Azure AD Identity Secure Score detect partial T1133 External Remote Services
                                Comments
                                This control's "Configure VPN Integration" recommendation can lead to detecting abnormal VPN connections that may be indicative of an attack. Although this control provides a recommendation that is limited to a specific external remote service type of VPN, most of this technique's procedure examples are VPN related resulting in a Partial overall score.
                                References
                                azure_ad_identity_secure_score Azure AD Identity Secure Score detect minimal T1134 Access Token Manipulation
                                azure_ad_identity_secure_score Azure AD Identity Secure Score detect partial T1134.005 SID-History Injection
                                Comments
                                This control's "Remove unsecure SID history attributes from entities" recommendation promotes running the "Unsecure SID history attributes" report periodically which can lead to identifying accounts with SID History attributes which Microsoft Defender for Identity profiles to be risky. Because this is a recommendation and not actually enforced, coupled with the detection its assessed score is capped at Partial.
                                References

                                  Capabilities

                                  Capability ID Capability Name Number of Mappings
                                  azure_ad_identity_secure_score Azure AD Identity Secure Score 28