microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1087 |
Account Discovery |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
significant |
T1087.002 |
Domain Account |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1482 |
Domain Trust Discovery |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1201 |
Password Policy Discovery |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1069 |
Permission Groups Discovery |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
significant |
T1069.002 |
Domain Groups |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1210 |
Exploitation of Remote Services |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1550 |
Use Alternate Authentication Material |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1550.002 |
Pass the Hash |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1550.003 |
Pass the Ticket |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1557 |
Man-in-the-Middle |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1110 |
Brute Force |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
significant |
T1110.003 |
Password Spraying |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
significant |
T1110.001 |
Password Guessing |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1558 |
Steal or Forge Kerberos Tickets |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1558.003 |
Kerberoasting |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1558.004 |
AS-REP Roasting |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1558.001 |
Golden Ticket |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1133 |
External Remote Services |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1555 |
Credentials from Password Stores |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1555.003 |
Credentials from Web Browsers |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1047 |
Windows Management Instrumentation |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1059 |
Command and Scripting Interpreter |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1059.001 |
PowerShell |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1021 |
Remote Services |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1021.002 |
SMB/Windows Admin Shares |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1569 |
System Services |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1569.002 |
Service Execution |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
significant |
T1207 |
Rogue Domain Controller |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1003 |
OS Credential Dumping |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
significant |
T1003.006 |
DCSync |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1003.003 |
NTDS |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1556 |
Modify Authentication Process |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1556.001 |
Domain Controller Authentication |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1098 |
Account Manipulation |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1543 |
Create or Modify System Process |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1543.003 |
Windows Service |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1071 |
Application Layer Protocol |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1071.004 |
DNS |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1048 |
Exfiltration Over Alternative Protocol |
microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |