The CRI Profile is a control framework to develop and assess cybersecurity and resiliency programs, produced by and for the global financial sector and maintained by the Cyber Risk Institute (CRI). These mappings connect the security capability coverage of the CRI Profile's Diagnostic Statements with threat mitigation of real-world adversarial behaviors as described in MITRE ATT&CK. The connection of ATT&CK with the CRI Profile control program framework empowers threat-informed analysis and decision-making for cybersecurity control program design and implementation by the financial services sector.
CRI Profile Versions: v2.1 ATT&CK Versions: 16.1 ATT&CK Domain: Enterprise
Mapping Methodology | Mapping Scope | The CRI Profile (External link)
| ID | Capability Group Name | Number of Mappings | Number of Capabilities |
|---|---|---|---|
| ID.AM | Identify: Asset Management | 50 | 2 |
| ID.RA | Identify: Risk Assessment | 11 | 1 |
| ID.IM | Identify: Improvement | 15 | 1 |
| PR.AA | Protect: Identity Management, Authentication, Access Control | 511 | 10 |
| PR.DS | Protect: Data Security | 59 | 6 |
| PR.PS | Protect: Platform Security | 671 | 16 |
| PR.IR | Protect: Technology Infrastructure Resilience | 525 | 11 |
| DE.CM | Detect: Continuous Monitoring | 263 | 10 |
| DE.AE | Detect: Adverse Event Analysis | 81 | 1 |
| EX.DD | Extend: Procurement Planning and Due Diligence | 12 | 1 |
| EX.MM | Extend: Monitoring and Managing Suppliers | 11 | 1 |
This is a very large mapping. To reduce the size, we have only downloaded the first 550 of 2,209 mappings. Load all data (3.6 MB)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1102.001 | Dead Drop Resolver |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1102.002 | Bidirectional Communication |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1102.003 | One-Way Communication |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1102 | Web Service |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1204.001 | Malicious Link |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1204.002 | Malicious File |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1204.003 | Malicious Image |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1204 | User Execution |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1029 | Scheduled Transfer |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1090.001 | Internal Proxy |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1090.002 | External Proxy |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1090 | Proxy |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1542.004 | ROMMONkit |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1571 | Non-Standard Port |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1095 | Non-Application Layer Protocol |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1104 | Multi-Stage Channels |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1570 | Lateral Tool Transfer |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1105 | Ingress Tool Transfer |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1008 | Fallback Channels |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1573.001 | Symmetric Cryptography |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1573 | Encrypted Channel |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1573.002 | Asymmetric Cryptography |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1568.002 | Domain Generation Algorithms |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1568 | Dynamic Resolution |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1030 | Data Transfer Size Limits |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1132.002 | Non-Standard Encoding |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1132.001 | Standard Encoding |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1132 | Data Encoding |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1071.005 | Publish/Subscribe Protocols |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1071.001 | Web Protocols |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1071.002 | File Transfer Protocols |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1071.003 | Mail Protocols |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1071.004 | DNS |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1071 | Application Layer Protocol |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1557.004 | Evil Twin |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1557.003 | DHCP Spoofing |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1557.002 | ARP Cache Poisoning |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1219 | Remote Access Software |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1218.015 | Electron Applications |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1218.010 | Regsvr32 |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1218.011 | Rundll32 |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1212 | Exploitation for Credential Access |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1203 | Exploitation for Client Execution |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1189 | Drive-by Compromise |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1221 | Template Injection |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1080 | Taint Shared Content |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027.002 | Software Packing |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027.014 | Polymorphic Code |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1566 | Phishing |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1566.003 | Spearphishing via Service |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027 | Obfuscated Files or Information |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027.012 | LNK Icon Smuggling |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027.009 | Embedded Payloads |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1036 | Masquerading |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1036.008 | Masquerade File Type |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1059.005 | Visual Basic |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1059.006 | Python |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1001.002 | Steganography |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1001.001 | Junk Data |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1001.003 | Protocol or Service Impersonation |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1001 | Data Obfuscation |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1006 | Direct Volume Access |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1221 | Template Injection |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.002 | Software Packing |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1080 | Taint Shared Content |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.014 | Polymorphic Code |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.012 | LNK Icon Smuggling |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.010 | Command Obfuscation |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.009 | Embedded Payloads |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027 | Obfuscated Files or Information |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1036.008 | Masquerade File Type |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1036 | Masquerading |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1564 | Hide Artifacts |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1564.012 | File/Path Exclusions |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1059.005 | Visual Basic |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1059.006 | Python |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1078.001 | Default Accounts |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1078.002 | Domain Accounts |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.007 | Cloud Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.008 | Direct Cloud VM Connections |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.004 | SSH |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.006 | Windows Remote Management |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.005 | VNC |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.003 | Distributed Component Object Model |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.006 | Multi-Factor Authentication |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1098.006 | Additional Container Cluster Roles |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1098.002 | Additional Email Delegate Permissions |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1078.004 | Cloud Accounts |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1110.001 | Password Guessing |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1110.003 | Password Spraying |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1110.004 | Credential Stuffing |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1648 | Serverless Execution |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1110 | Brute Force |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1606 | Forge Web Credentials |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1601.002 | Downgrade System Image |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1601.001 | Patch System Image |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1569.002 | Service Execution |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1569 | System Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1563.001 | SSH Hijacking |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1558.001 | Golden Ticket |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.005 | Reversible Encryption |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.003 | Pluggable Authentication Modules |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1543.002 | Systemd Service |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1547.006 | Kernel Modules and Extensions |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1548.002 | Bypass User Account Control |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1548.003 | Sudo and Sudo Caching |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1548.006 | TCC Manipulation |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1484.002 | Trust Modification |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1484.001 | Group Policy Modification |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1484 | Domain or Tenant Policy Modification |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1542.003 | Bootkit |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1021.006 | Windows Remote Management |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1599 | Network Boundary Bridging |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1555.006 | Cloud Secrets Management Stores |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1552.002 | Credentials in Registry |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1548.003 | Sudo and Sudo Caching |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1548.002 | Bypass User Account Control |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1546.003 | Windows Management Instrumentation Event Subscription |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1505.001 | SQL Stored Procedures |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1505.002 | Transport Agent |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1134.002 | Create Process with Token |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1134.001 | Token Impersonation/Theft |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1134.003 | Make and Impersonate Token |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1610 | Deploy Container |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversary deployment of a container.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can prevent leveraging for AiTM conditions.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1557.003 | DHCP Spoofing |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can prevent leveraging for AiTM conditions.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic can help to mitigate this technique.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1071.004 | DNS |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of application layer protocols.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1203 | Exploitation for Client Execution |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1137.005 | Outlook Rules |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1137 | Office Application Startup |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1137.003 | Outlook Forms |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1542.002 | Component Firmware |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.001 | Office Template Macros |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.002 | Office Test |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.003 | Outlook Forms |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.004 | Outlook Home Page |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.005 | Outlook Rules |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.006 | Add-ins |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.001 | Dynamic-link Library Injection |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.002 | Portable Executable Injection |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.003 | Thread Execution Hijacking |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.004 | Asynchronous Procedure Call |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.005 | Thread Local Storage |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.008 | Ptrace System Calls |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.009 | Proc Memory |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055 | Process Injection |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.012 | Process Hollowing |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.013 | Process Doppelgänging |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.014 | VDSO Hijacking |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1221 | Template Injection |
Comments
Antivirus/Antimalware software can be utilized to prevent documents from fetching and/or executing malicious payloads.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1027 | Obfuscated Files or Information |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding, or obfuscating.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1221 | Template Injection |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1566.003 | Spearphishing via Service |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.014 | Polymorphic Code |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.002 | Software Packing |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.010 | Command Obfuscation |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.012 | LNK Icon Smuggling |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027 | Obfuscated Files or Information |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1036 | Masquerading |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1036.008 | Masquerade File Type |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1564 | Hide Artifacts |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1564.012 | File/Path Exclusions |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1059.006 | Python |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1059.005 | Visual Basic |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1053 | Scheduled Task/Job |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1552.003 | Bash History |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1003.002 | Security Account Manager |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1003.005 | Cached Domain Credentials |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.009 | Embedded Payloads |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1053.002 | At |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1053.005 | Scheduled Task |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1562.003 | Impair Command History Logging |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1036.007 | Double File Extension |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1556.002 | Password Filter DLL |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1556.008 | Network Provider DLL |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1135 | Network Share Discovery |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1003.001 | LSASS Memory |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1197 | BITS Jobs |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1092 | Communication Through Removable Media |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1543.003 | Windows Service |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1546.008 | Accessibility Features |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1011 | Exfiltration Over Other Network Medium |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1011.001 | Exfiltration Over Bluetooth |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1564.002 | Hidden Users |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1574.006 | Dynamic Linker Hijacking |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1087.002 | Domain Account |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1666 | Modify Cloud Resource Hierarchy |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1137 | Office Application Startup |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1137.002 | Office Test |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1566 | Phishing |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1566.002 | Spearphishing Link |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1598 | Phishing for Information |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1598.002 | Spearphishing Attachment |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1598.003 | Spearphishing Link |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1553.004 | Install Root Certificate |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1535 | Unused/Unsupported Cloud Regions |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1550.004 | Web Session Cookie |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1547.006 | Kernel Modules and Extensions |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1548.001 | Setuid and Setgid |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1548.003 | Sudo and Sudo Caching |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1087 | Account Discovery |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1087.001 | Local Account |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1559.002 | Dynamic Data Exchange |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1543.005 | Container Service |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1213.001 | Confluence |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1213.002 | Sharepoint |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1213.003 | Code Repositories |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1213.004 | Customer Relationship Management Software |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1213.005 | Messaging Applications |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1606 | Forge Web Credentials |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1606.001 | Web Cookies |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1562.006 | Indicator Blocking |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1562.009 | Safe Mode Boot |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1562.010 | Downgrade Attack |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1559 | Inter-Process Communication |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1552.003 | Bash History |
Comments
TThis diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1003.002 | Security Account Manager |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1003.005 | Cached Domain Credentials |
Comments
TThis diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1053 | Scheduled Task/Job |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1053.002 | At |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1053.005 | Scheduled Task |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1562.003 | Impair Command History Logging |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1036.007 | Double File Extension |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1556.002 | Password Filter DLL |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1556.008 | Network Provider DLL |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1135 | Network Share Discovery |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1003.001 | LSASS Memory |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1197 | BITS Jobs |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1092 | Communication Through Removable Media |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1543.003 | Windows Service |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1546.008 | Accessibility Features |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1011 | Exfiltration Over Other Network Medium |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1011.001 | Exfiltration Over Bluetooth |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1564.002 | Hidden Users |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1574.006 | Dynamic Linker Hijacking |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1087.002 | Domain Account |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1666 | Modify Cloud Resource Hierarchy |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1137 | Office Application Startup |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1137.002 | Office Test |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1566 | Phishing |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1566.002 | Spearphishing Link |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1598 | Phishing for Information |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1598.002 | Spearphishing Attachment |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1598.003 | Spearphishing Link |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1553.004 | Install Root Certificate |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1535 | Unused/Unsupported Cloud Regions |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1550.004 | Web Session Cookie |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1548.001 | Setuid and Setgid |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1548.003 | Sudo and Sudo Caching |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1087 | Account Discovery |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1087.001 | Local Account |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1559.002 | Dynamic Data Exchange |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1543.005 | Container Service |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1213.001 | Confluence |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1213.002 | Sharepoint |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1213.003 | Code Repositories |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1213.004 | Customer Relationship Management Software |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1213.005 | Messaging Applications |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1606 | Forge Web Credentials |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1606.001 | Web Cookies |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1562.006 | Indicator Blocking |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1562.009 | Safe Mode Boot |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1562.010 | Downgrade Attack |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1559 | Inter-Process Communication |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1558.001 | Golden Ticket |
Comments
This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1563 | Remote Service Session Hijacking |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1559 | Inter-Process Communication |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Set service account access restrictions to grant only the minimum necessary permissions to mitigate abuse of inter-process communication (IPC) mechanisms.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via remote services that use service accounts.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1021.007 | Cloud Services |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via cloud services service accounts.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Block the SMB/Windows Admin Shares service account to mitigate exploitation.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1021.006 | Windows Remote Management |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via the WinRM service account.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Use least privilege for service accounts to limit what permissions the exploited process gets on the rest of the system.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1484 | Domain or Tenant Policy Modification |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Restrict administrative privileges to mitigate this technique.
|
| PR.AA-05.04 | Third-party access management | Mitigates | T1078.004 | Cloud Accounts |
Comments
This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Conditional access policies can be used to block logins from non-compliant devices or from outside defined IP ranges.
|
| PR.AA-05.04 | Third-party access management | Mitigates | T1110.001 | Password Guessing |
Comments
This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks.
|
| PR.AA-05.04 | Third-party access management | Mitigates | T1110.003 | Password Spraying |
Comments
This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks.
|
| PR.AA-05.04 | Third-party access management | Mitigates | T1110.004 | Credential Stuffing |
Comments
This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1606.001 | Web Cookies |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1543.003 | Windows Service |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1543.004 | Launch Daemon |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1543.002 | Systemd Service |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098.004 | SSH Authorized Keys |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098.005 | Device Registration |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098.006 | Additional Container Cluster Roles |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098.007 | Additional Local or Domain Groups |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1204.001 | Malicious Link |
Comments
This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1485 | Data Destruction |
Comments
This diagnostic statement protects against Data Destruction through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This diagnostic statement protects against Lifecycle-Triggered Deletion through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1486 | Data Encrypted for Impact |
Comments
This diagnostic statement protects against Data Encrypted for Impact through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1491 | Defacement |
Comments
This diagnostic statement protects against Defacement through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1491.001 | Internal Defacement |
Comments
This diagnostic statement protects against Internal Defacement through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1491.002 | External Defacement |
Comments
This diagnostic statement protects against External Defacement through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1561 | Disk Wipe |
Comments
This diagnostic statement protects against Disk Wipe through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1561.001 | Disk Content Wipe |
Comments
This diagnostic statement protects against Disk Content Wipe through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1561.002 | Disk Structure Wipe |
Comments
This diagnostic statement protects against Disk Structure Wipe through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement protects against Inhibit System Recovery through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1020 | Automated Exfiltration |
Comments
This diagnostic statement protects against Automated Exfiltration through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1020.001 | Traffic Duplication |
Comments
This diagnostic statement protects against Traffic Duplication through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1005 | Data from Local System |
Comments
This diagnostic statement protects against Data from Local System through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1025 | Data from Removable Media |
Comments
This diagnostic statement protects against Data from Removable Media through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Asymmetric Encrypted Non-C2 Protocol through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Unencrypted Non-C2 Protocol through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This diagnostic statement protects against Exfiltration Over C2 Channel through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
This diagnostic statement protects against Exfiltration Over Physical Medium through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1052.001 | Exfiltration over USB |
Comments
This diagnostic statement protects against Exfiltration over USB through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1567 | Exfiltration Over Web Service |
Comments
This diagnostic statement protects against Exfiltration Over Web Service through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1567.004 | Exfiltration Over Webhook |
Comments
This diagnostic statement protects against Exfiltration Over Webhook through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement protects against Transfer Data to Cloud Account through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement provides secure application development, such as implementing token binding strategies to help prevent the malicious use of application access tokens.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1559 | Inter-Process Communication |
Comments
This diagnostic statement protects inter-process communication mechanisms from abuse through secure development practices, such as enabling the Hardened Runtime capability when developing applications.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1078.002 | Domain Accounts |
Comments
This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1078.004 | Cloud Accounts |
Comments
This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1559 | Inter-Process Communication |
Comments
This diagnostic statement protects inter-process communication mechanisms from abuse through secure development practices, such as enabling the Hardened Runtime capability when developing applications.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1559.003 | XPC Services |
Comments
This diagnostic statement protects inter-process communication mechanisms from abuse through secure development practices, such as enabling the Hardened Runtime capability when developing applications.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement provides for the implementation of secure development practices, such as implementing token binding strategies which can help prevent malicious use of application access tokens.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement provides for the implementation of secure development practices, such as implementing token binding strategies which can help prevent malicious use of application access tokens.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1212 | Exploitation for Credential Access |
Comments
This diagnostic statement protects against Exploitation for Credential Access through the implementation of measures in the application to validate authentication requests by enabling one-time passwords, providing timestamps or sequence numbers for messages sent, using digital signatures, and/or using random session keys.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1564 | Hide Artifacts |
Comments
This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1564.009 | Resource Forking |
Comments
This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1564.012 | File/Path Exclusions |
Comments
This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement provides for secure application development processes and procedures, such as including hash values in manifest files to help prevent side-loading of malicious libraries.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1574.002 | DLL Side-Loading |
Comments
This diagnostic statement provides for secure application development processes and procedures, such as including hash values in manifest files to help prevent side-loading of malicious libraries.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1559.003 | XPC Services |
Comments
This diagnostic statement protects inter-process communication mechanisms from abuse through secure development practices, such as enabling the Hardened Runtime capability when developing applications.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1647 | Plist File Modification |
Comments
This diagnostic statement helps protect the modification of property list files (plist files) through secure development practices, such as enabling hardened runtime.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1496.003 | SMS Pumping |
Comments
This diagnostic statement helps provides for secure development practices, such as implementing CAPTCHA protection on forms that send messages via SMS.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1593 | Search Open Websites/Domains |
Comments
This diagnostic statement provides for the use of secure development processes and procedures. This includes avoiding publishing sensitive information such as credentials and API keys when uploading to public code repositories.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1593.003 | Code Repositories |
Comments
This diagnostic statement provides for the use of secure development processes and procedures. This includes avoiding publishing sensitive information such as credentials and API keys when uploading to public code repositories.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1195 | Supply Chain Compromise |
Comments
This diagnostic statement provides for the use of secure development processes and procedures. This includes being cautious when selecting third-party libraries to integrate into applications.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement provides for the use of secure development processes and procedures. This includes being cautious when selecting third-party libraries to integrate into applications.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement provides secure application development, such as implementing token binding strategies to help prevent the malicious use of application access tokens.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1078.001 | Default Accounts |
Comments
This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement provides for the use of secure development processes and procedures. This includes being cautious when selecting third-party libraries to integrate into applications.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027 | Obfuscated Files or Information |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.002 | Software Packing |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.009 | Embedded Payloads |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.010 | Command Obfuscation |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.012 | LNK Icon Smuggling |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.014 | Polymorphic Code |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1036 | Masquerading |
Comments
This diagnostic statement provides protections for endpoints from masquerading or manipulated artifacts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1036.008 | Masquerade File Type |
Comments
This diagnostic statement provides protections for endpoints from masquerading or manipulated artifacts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement protects endpoints from abuse of commands and scripts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement protects endpoints from abuse of commands and scripts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059.005 | Visual Basic |
Comments
This diagnostic statement protects endpoints from abuse of commands and scripts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059.006 | Python |
Comments
This diagnostic statement protects endpoints from abuse of commands and scripts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1091 | Replication Through Removable Media |
Comments
This diagnostic statement protects endpoints from untrusted files on removable drives through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement protects endpoints from introduction of hardware additions through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.001 | DLL Search Order Hijacking |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.002 | DLL Side-Loading |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.006 | Dynamic Linker Hijacking |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.006 | Dynamic Linker Hijacking |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.007 | Path Interception by PATH Environment Variable |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.008 | Path Interception by Search Order Hijacking |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.009 | Path Interception by Unquoted Path |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.012 | COR_PROFILER |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.013 | KernelCallbackTable |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1003.006 | DCSync |
Comments
This diagnostic statement protects against DCSync through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1003.007 | Proc Filesystem |
Comments
This diagnostic statement protects against Proc Filesystem through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1003.008 | /etc/passwd and /etc/shadow |
Comments
This diagnostic statement protects against /etc/passwd and /etc/shadow through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement protects against Remote Services through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement protects against Remote Desktop Protocol through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
This diagnostic statement protects against SMB/Windows Admin Shares through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021.003 | Distributed Component Object Model |
Comments
This diagnostic statement protects against Distributed Component Object Model through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021.004 | SSH |
Comments
This diagnostic statement protects against SSH through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021.006 | Windows Remote Management |
Comments
This diagnostic statement protects against Windows Remote Management through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021.007 | Cloud Services |
Comments
This diagnostic statement protects against Cloud Services through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1040 | Network Sniffing |
Comments
This diagnostic statement protects against Network Sniffing through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1047 | Windows Management Instrumentation |
Comments
This diagnostic statement protects against Windows Management Instrumentation through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1053 | Scheduled Task/Job |
Comments
This diagnostic statement protects against Scheduled Task/Job through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1053.002 | At |
Comments
This diagnostic statement protects against At through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1053.005 | Scheduled Task |
Comments
This diagnostic statement protects against Scheduled Task through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1053.006 | Systemd Timers |
Comments
This diagnostic statement protects against Systemd Timers through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1053.007 | Container Orchestration Job |
Comments
This diagnostic statement protects against Container Orchestration Job through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1055 | Process Injection |
Comments
This diagnostic statement protects against Process Injection through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1055.008 | Ptrace System Calls |
Comments
This diagnostic statement protects against Ptrace System Calls through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1056 | Input Capture |
Comments
This diagnostic statement protects against Input Capture through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1056.003 | Web Portal Capture |
Comments
This diagnostic statement protects against Web Portal Capture through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement protects against Command and Scripting Interpreter through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement protects against PowerShell through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1059.008 | Network Device CLI |
Comments
This diagnostic statement protects against Network Device CLI through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1059.009 | Cloud API |
Comments
This diagnostic statement protects against Cloud API through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement protects against Software Deployment Tools through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement protects against Valid Accounts through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1078.001 | Default Accounts |
Comments
This diagnostic statement protects against Default Accounts through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1078.002 | Domain Accounts |
Comments
This diagnostic statement protects against Domain Accounts through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement protects against Local Accounts through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1078.004 | Cloud Accounts |
Comments
This diagnostic statement protects against Cloud Accounts through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement protects against Account Manipulation through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This diagnostic statement protects against Additional Cloud Credentials through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098.002 | Additional Email Delegate Permissions |
Comments
This diagnostic statement protects against Additional Email Delegate Permissions through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement protects against Additional Cloud Roles through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098.005 | Device Registration |
Comments
This diagnostic statement protects against Device Registration through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098.006 | Additional Container Cluster Roles |
Comments
This diagnostic statement protects against Additional Container Cluster Roles through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1110 | Brute Force |
Comments
This diagnostic statement protects against Brute Force through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1110.001 | Password Guessing |
Comments
This diagnostic statement protects against Password Guessing through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1110.002 | Password Cracking |
Comments
This diagnostic statement protects against Password Cracking through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1110.003 | Password Spraying |
Comments
This diagnostic statement protects against Password Spraying through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1110.004 | Credential Stuffing |
Comments
This diagnostic statement protects against Credential Stuffing through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement protects against Email Collection through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1114.002 | Remote Email Collection |
Comments
This diagnostic statement protects against Remote Email Collection through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1134 | Access Token Manipulation |
Comments
This diagnostic statement protects against Access Token Manipulation through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1134.001 | Token Impersonation/Theft |
Comments
This diagnostic statement protects against Token Impersonation/Theft through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1134.002 | Create Process with Token |
Comments
This diagnostic statement protects against Create Process with Token through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1134.003 | Make and Impersonate Token |
Comments
This diagnostic statement protects against Make and Impersonate Token through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement protects against Create Account through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement protects against Local Account through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement protects against Domain Account through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement protects against Cloud Account through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This diagnostic statement protects against Exploit Public-Facing Application through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement protects against Trusted Relationship through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement protects against Exploitation of Remote Services through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement protects against Data from Information Repositories through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1213.003 | Code Repositories |
Comments
This diagnostic statement protects against Code Repositories through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement protects against System Binary Proxy Execution through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1218.007 | Msiexec |
Comments
This diagnostic statement protects against Msiexec through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1222 | File and Directory Permissions Modification |
Comments
This diagnostic statement protects against File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1222.001 | Windows File and Directory Permissions Modification |
Comments
This diagnostic statement protects against Windows File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1222.002 | Linux and Mac File and Directory Permissions Modification |
Comments
This diagnostic statement protects against Linux and Mac File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1484 | Domain or Tenant Policy Modification |
Comments
This diagnostic statement protects against Domain or Tenant Policy Modification through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1484.002 | Trust Modification |
Comments
This diagnostic statement protects against Trust Modification through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1485 | Data Destruction |
Comments
This diagnostic statement protects against Data Destruction through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement protects against Firmware Corruption through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1505 | Server Software Component |
Comments
This diagnostic statement protects against Server Software Component through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1505.001 | SQL Stored Procedures |
Comments
This diagnostic statement protects against SQL Stored Procedures through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1505.002 | Transport Agent |
Comments
This diagnostic statement protects against Transport Agent through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1505.004 | IIS Components |
Comments
This diagnostic statement protects against IIS Components through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1525 | Implant Internal Image |
Comments
This diagnostic statement protects against Implant Internal Image through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement protects against Data from Cloud Storage through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement protects against Steal Web Session Cookie through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement protects against Pre-OS Boot through the use of privileged account management and the use of multi-factor authentication.
|
