The CRI Profile is a control framework to develop and assess cybersecurity and resiliency programs, produced by and for the global financial sector and maintained by the Cyber Risk Institute (CRI). These mappings connect the security capability coverage of the CRI Profile's Diagnostic Statements with threat mitigation of real-world adversarial behaviors as described in MITRE ATT&CK. The connection of ATT&CK with the CRI Profile control program framework empowers threat-informed analysis and decision-making for cybersecurity control program design and implementation by the financial services sector.
CRI Profile Versions: v2.1 ATT&CK Versions: 16.1 ATT&CK Domain: Enterprise
Mapping Methodology | Mapping Scope | The CRI Profile (External link)
| ID | Capability Group Name | Number of Mappings | Number of Capabilities |
|---|---|---|---|
| ID.AM | Identify: Asset Management | 50 | 2 |
| ID.RA | Identify: Risk Assessment | 11 | 1 |
| ID.IM | Identify: Improvement | 15 | 1 |
| PR.AA | Protect: Identity Management, Authentication, Access Control | 511 | 10 |
| PR.DS | Protect: Data Security | 59 | 6 |
| PR.PS | Protect: Platform Security | 671 | 16 |
| PR.IR | Protect: Technology Infrastructure Resilience | 525 | 11 |
| DE.CM | Detect: Continuous Monitoring | 263 | 10 |
| DE.AE | Detect: Adverse Event Analysis | 81 | 1 |
| EX.DD | Extend: Procurement Planning and Due Diligence | 12 | 1 |
| EX.MM | Extend: Monitoring and Managing Suppliers | 11 | 1 |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1102.001 | Dead Drop Resolver |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1102.002 | Bidirectional Communication |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1102.003 | One-Way Communication |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1102 | Web Service |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1204.001 | Malicious Link |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1204.002 | Malicious File |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1204.003 | Malicious Image |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1204 | User Execution |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1029 | Scheduled Transfer |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1090.001 | Internal Proxy |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1090.002 | External Proxy |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1090 | Proxy |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1542.004 | ROMMONkit |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1571 | Non-Standard Port |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1095 | Non-Application Layer Protocol |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1104 | Multi-Stage Channels |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1570 | Lateral Tool Transfer |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1105 | Ingress Tool Transfer |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1008 | Fallback Channels |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1573.001 | Symmetric Cryptography |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1573 | Encrypted Channel |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1573.002 | Asymmetric Cryptography |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1568.002 | Domain Generation Algorithms |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1568 | Dynamic Resolution |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1030 | Data Transfer Size Limits |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1132.002 | Non-Standard Encoding |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1132.001 | Standard Encoding |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1132 | Data Encoding |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1071.005 | Publish/Subscribe Protocols |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1071.001 | Web Protocols |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1071.002 | File Transfer Protocols |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1071.003 | Mail Protocols |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1071.004 | DNS |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1071 | Application Layer Protocol |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1557.004 | Evil Twin |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1557.003 | DHCP Spoofing |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1557.002 | ARP Cache Poisoning |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1219 | Remote Access Software |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1218.015 | Electron Applications |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1218.010 | Regsvr32 |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1218.011 | Rundll32 |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1212 | Exploitation for Credential Access |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1203 | Exploitation for Client Execution |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1189 | Drive-by Compromise |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1221 | Template Injection |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1080 | Taint Shared Content |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027.002 | Software Packing |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027.014 | Polymorphic Code |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1566 | Phishing |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1566.003 | Spearphishing via Service |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027 | Obfuscated Files or Information |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027.012 | LNK Icon Smuggling |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1027.009 | Embedded Payloads |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1036 | Masquerading |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1036.008 | Masquerade File Type |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1059.005 | Visual Basic |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1059.006 | Python |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1001.002 | Steganography |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1001.001 | Junk Data |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1001.003 | Protocol or Service Impersonation |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1001 | Data Obfuscation |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1006 | Direct Volume Access |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1221 | Template Injection |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.002 | Software Packing |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1080 | Taint Shared Content |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.014 | Polymorphic Code |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.012 | LNK Icon Smuggling |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.010 | Command Obfuscation |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027.009 | Embedded Payloads |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1027 | Obfuscated Files or Information |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1036.008 | Masquerade File Type |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1036 | Masquerading |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1564 | Hide Artifacts |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1564.012 | File/Path Exclusions |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1059.005 | Visual Basic |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1059.006 | Python |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1078.001 | Default Accounts |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1078.002 | Domain Accounts |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.007 | Cloud Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.008 | Direct Cloud VM Connections |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.004 | SSH |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.006 | Windows Remote Management |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.005 | VNC |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.003 | Distributed Component Object Model |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.006 | Multi-Factor Authentication |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1098.006 | Additional Container Cluster Roles |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1098.002 | Additional Email Delegate Permissions |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1078.004 | Cloud Accounts |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1110.001 | Password Guessing |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1110.003 | Password Spraying |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1110.004 | Credential Stuffing |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1648 | Serverless Execution |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1110 | Brute Force |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1606 | Forge Web Credentials |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1601.002 | Downgrade System Image |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1601.001 | Patch System Image |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1569.002 | Service Execution |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1569 | System Services |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1563.001 | SSH Hijacking |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1558.001 | Golden Ticket |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.005 | Reversible Encryption |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.003 | Pluggable Authentication Modules |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1543.002 | Systemd Service |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1547.006 | Kernel Modules and Extensions |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1548.002 | Bypass User Account Control |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1548.003 | Sudo and Sudo Caching |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1548.006 | TCC Manipulation |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1484.002 | Trust Modification |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1484.001 | Group Policy Modification |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1484 | Domain or Tenant Policy Modification |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1542.003 | Bootkit |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1021.006 | Windows Remote Management |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1599 | Network Boundary Bridging |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1555.006 | Cloud Secrets Management Stores |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1552.002 | Credentials in Registry |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1548.003 | Sudo and Sudo Caching |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1548.002 | Bypass User Account Control |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1546.003 | Windows Management Instrumentation Event Subscription |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1505.001 | SQL Stored Procedures |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1505.002 | Transport Agent |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1134.002 | Create Process with Token |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1134.001 | Token Impersonation/Theft |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1134.003 | Make and Impersonate Token |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1610 | Deploy Container |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversary deployment of a container.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can prevent leveraging for AiTM conditions.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1557.003 | DHCP Spoofing |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can prevent leveraging for AiTM conditions.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic can help to mitigate this technique.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1071.004 | DNS |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of application layer protocols.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1203 | Exploitation for Client Execution |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1137.005 | Outlook Rules |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1137 | Office Application Startup |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1137.003 | Outlook Forms |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1542.002 | Component Firmware |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.001 | Office Template Macros |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.002 | Office Test |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.003 | Outlook Forms |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.004 | Outlook Home Page |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.005 | Outlook Rules |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137.006 | Add-ins |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.001 | Dynamic-link Library Injection |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.002 | Portable Executable Injection |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.003 | Thread Execution Hijacking |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.004 | Asynchronous Procedure Call |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.005 | Thread Local Storage |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.008 | Ptrace System Calls |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.009 | Proc Memory |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055 | Process Injection |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.012 | Process Hollowing |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.013 | Process Doppelgänging |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.014 | VDSO Hijacking |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1221 | Template Injection |
Comments
Antivirus/Antimalware software can be utilized to prevent documents from fetching and/or executing malicious payloads.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1027 | Obfuscated Files or Information |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding, or obfuscating.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1221 | Template Injection |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1566.003 | Spearphishing via Service |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.014 | Polymorphic Code |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.002 | Software Packing |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.010 | Command Obfuscation |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.012 | LNK Icon Smuggling |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027 | Obfuscated Files or Information |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1036 | Masquerading |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1036.008 | Masquerade File Type |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1564 | Hide Artifacts |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1564.012 | File/Path Exclusions |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1059.006 | Python |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1059.005 | Visual Basic |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1053 | Scheduled Task/Job |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1552.003 | Bash History |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1003.002 | Security Account Manager |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1003.005 | Cached Domain Credentials |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1027.009 | Embedded Payloads |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1053.002 | At |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1053.005 | Scheduled Task |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1562.003 | Impair Command History Logging |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1036.007 | Double File Extension |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1556.002 | Password Filter DLL |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1556.008 | Network Provider DLL |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1135 | Network Share Discovery |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1003.001 | LSASS Memory |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1197 | BITS Jobs |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1092 | Communication Through Removable Media |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1543.003 | Windows Service |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1546.008 | Accessibility Features |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1011 | Exfiltration Over Other Network Medium |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1011.001 | Exfiltration Over Bluetooth |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1564.002 | Hidden Users |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1574.006 | Dynamic Linker Hijacking |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1087.002 | Domain Account |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1666 | Modify Cloud Resource Hierarchy |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1137 | Office Application Startup |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1137.002 | Office Test |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1566 | Phishing |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1566.002 | Spearphishing Link |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1598 | Phishing for Information |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1598.002 | Spearphishing Attachment |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1598.003 | Spearphishing Link |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1553.004 | Install Root Certificate |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1535 | Unused/Unsupported Cloud Regions |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1550.004 | Web Session Cookie |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1547.006 | Kernel Modules and Extensions |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1548.001 | Setuid and Setgid |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1548.003 | Sudo and Sudo Caching |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1087 | Account Discovery |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1087.001 | Local Account |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1559.002 | Dynamic Data Exchange |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1543.005 | Container Service |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1213.001 | Confluence |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1213.002 | Sharepoint |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1213.003 | Code Repositories |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1213.004 | Customer Relationship Management Software |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1213.005 | Messaging Applications |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1606 | Forge Web Credentials |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1606.001 | Web Cookies |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1562.006 | Indicator Blocking |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1562.009 | Safe Mode Boot |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1562.010 | Downgrade Attack |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1559 | Inter-Process Communication |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1552.003 | Bash History |
Comments
TThis diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1003.002 | Security Account Manager |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1003.005 | Cached Domain Credentials |
Comments
TThis diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1053 | Scheduled Task/Job |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1053.002 | At |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1053.005 | Scheduled Task |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1562.003 | Impair Command History Logging |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1036.007 | Double File Extension |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1556.002 | Password Filter DLL |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1556.008 | Network Provider DLL |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1135 | Network Share Discovery |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1003.001 | LSASS Memory |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1197 | BITS Jobs |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1092 | Communication Through Removable Media |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1543.003 | Windows Service |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1546.008 | Accessibility Features |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1011 | Exfiltration Over Other Network Medium |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1011.001 | Exfiltration Over Bluetooth |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1564.002 | Hidden Users |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1574.006 | Dynamic Linker Hijacking |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1087.002 | Domain Account |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1666 | Modify Cloud Resource Hierarchy |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1137 | Office Application Startup |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1137.002 | Office Test |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1566 | Phishing |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1566.002 | Spearphishing Link |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1598 | Phishing for Information |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1598.002 | Spearphishing Attachment |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1598.003 | Spearphishing Link |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1553.004 | Install Root Certificate |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1535 | Unused/Unsupported Cloud Regions |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1550.004 | Web Session Cookie |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1548.001 | Setuid and Setgid |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1548.003 | Sudo and Sudo Caching |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1087 | Account Discovery |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1087.001 | Local Account |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1559.002 | Dynamic Data Exchange |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1543.005 | Container Service |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1213.001 | Confluence |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1213.002 | Sharepoint |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1213.003 | Code Repositories |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1213.004 | Customer Relationship Management Software |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1213.005 | Messaging Applications |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1606 | Forge Web Credentials |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1606.001 | Web Cookies |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1562.006 | Indicator Blocking |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1562.009 | Safe Mode Boot |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1562.010 | Downgrade Attack |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1559 | Inter-Process Communication |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1558.001 | Golden Ticket |
Comments
This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1563 | Remote Service Session Hijacking |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1559 | Inter-Process Communication |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Set service account access restrictions to grant only the minimum necessary permissions to mitigate abuse of inter-process communication (IPC) mechanisms.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via remote services that use service accounts.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1021.007 | Cloud Services |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via cloud services service accounts.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Block the SMB/Windows Admin Shares service account to mitigate exploitation.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1021.006 | Windows Remote Management |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via the WinRM service account.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Use least privilege for service accounts to limit what permissions the exploited process gets on the rest of the system.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1484 | Domain or Tenant Policy Modification |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Restrict administrative privileges to mitigate this technique.
|
| PR.AA-05.04 | Third-party access management | Mitigates | T1078.004 | Cloud Accounts |
Comments
This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Conditional access policies can be used to block logins from non-compliant devices or from outside defined IP ranges.
|
| PR.AA-05.04 | Third-party access management | Mitigates | T1110.001 | Password Guessing |
Comments
This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks.
|
| PR.AA-05.04 | Third-party access management | Mitigates | T1110.003 | Password Spraying |
Comments
This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks.
|
| PR.AA-05.04 | Third-party access management | Mitigates | T1110.004 | Credential Stuffing |
Comments
This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1606.001 | Web Cookies |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1543.003 | Windows Service |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1543.004 | Launch Daemon |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1543.002 | Systemd Service |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098.004 | SSH Authorized Keys |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098.005 | Device Registration |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098.006 | Additional Container Cluster Roles |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098.007 | Additional Local or Domain Groups |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1204.001 | Malicious Link |
Comments
This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1485 | Data Destruction |
Comments
This diagnostic statement protects against Data Destruction through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This diagnostic statement protects against Lifecycle-Triggered Deletion through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1486 | Data Encrypted for Impact |
Comments
This diagnostic statement protects against Data Encrypted for Impact through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1491 | Defacement |
Comments
This diagnostic statement protects against Defacement through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1491.001 | Internal Defacement |
Comments
This diagnostic statement protects against Internal Defacement through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1491.002 | External Defacement |
Comments
This diagnostic statement protects against External Defacement through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1561 | Disk Wipe |
Comments
This diagnostic statement protects against Disk Wipe through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1561.001 | Disk Content Wipe |
Comments
This diagnostic statement protects against Disk Content Wipe through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1561.002 | Disk Structure Wipe |
Comments
This diagnostic statement protects against Disk Structure Wipe through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement protects against Inhibit System Recovery through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1020 | Automated Exfiltration |
Comments
This diagnostic statement protects against Automated Exfiltration through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1020.001 | Traffic Duplication |
Comments
This diagnostic statement protects against Traffic Duplication through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1005 | Data from Local System |
Comments
This diagnostic statement protects against Data from Local System through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1025 | Data from Removable Media |
Comments
This diagnostic statement protects against Data from Removable Media through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Asymmetric Encrypted Non-C2 Protocol through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Unencrypted Non-C2 Protocol through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This diagnostic statement protects against Exfiltration Over C2 Channel through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
This diagnostic statement protects against Exfiltration Over Physical Medium through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1052.001 | Exfiltration over USB |
Comments
This diagnostic statement protects against Exfiltration over USB through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1567 | Exfiltration Over Web Service |
Comments
This diagnostic statement protects against Exfiltration Over Web Service through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1567.004 | Exfiltration Over Webhook |
Comments
This diagnostic statement protects against Exfiltration Over Webhook through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.IR-03.01 | Alternative resilience mechanisms | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement protects against Transfer Data to Cloud Account through the use of failsafes, backup facilities, disaster recovery, and resilience strategies including resumption of critical services.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement provides secure application development, such as implementing token binding strategies to help prevent the malicious use of application access tokens.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1559 | Inter-Process Communication |
Comments
This diagnostic statement protects inter-process communication mechanisms from abuse through secure development practices, such as enabling the Hardened Runtime capability when developing applications.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1078.002 | Domain Accounts |
Comments
This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1078.004 | Cloud Accounts |
Comments
This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1559 | Inter-Process Communication |
Comments
This diagnostic statement protects inter-process communication mechanisms from abuse through secure development practices, such as enabling the Hardened Runtime capability when developing applications.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1559.003 | XPC Services |
Comments
This diagnostic statement protects inter-process communication mechanisms from abuse through secure development practices, such as enabling the Hardened Runtime capability when developing applications.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement provides for the implementation of secure development practices, such as implementing token binding strategies which can help prevent malicious use of application access tokens.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement provides for the implementation of secure development practices, such as implementing token binding strategies which can help prevent malicious use of application access tokens.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1212 | Exploitation for Credential Access |
Comments
This diagnostic statement protects against Exploitation for Credential Access through the implementation of measures in the application to validate authentication requests by enabling one-time passwords, providing timestamps or sequence numbers for messages sent, using digital signatures, and/or using random session keys.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1564 | Hide Artifacts |
Comments
This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1564.009 | Resource Forking |
Comments
This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1564.012 | File/Path Exclusions |
Comments
This diagnostic statement protects against Hide Artifacts through the implementation of application security processes and procedures such as installing applications to trusted system folder paths that are already protected by restricted file and directory permissions.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement provides for secure application development processes and procedures, such as including hash values in manifest files to help prevent side-loading of malicious libraries.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1574.002 | DLL Side-Loading |
Comments
This diagnostic statement provides for secure application development processes and procedures, such as including hash values in manifest files to help prevent side-loading of malicious libraries.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1559.003 | XPC Services |
Comments
This diagnostic statement protects inter-process communication mechanisms from abuse through secure development practices, such as enabling the Hardened Runtime capability when developing applications.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1647 | Plist File Modification |
Comments
This diagnostic statement helps protect the modification of property list files (plist files) through secure development practices, such as enabling hardened runtime.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1496.003 | SMS Pumping |
Comments
This diagnostic statement helps provides for secure development practices, such as implementing CAPTCHA protection on forms that send messages via SMS.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1593 | Search Open Websites/Domains |
Comments
This diagnostic statement provides for the use of secure development processes and procedures. This includes avoiding publishing sensitive information such as credentials and API keys when uploading to public code repositories.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1593.003 | Code Repositories |
Comments
This diagnostic statement provides for the use of secure development processes and procedures. This includes avoiding publishing sensitive information such as credentials and API keys when uploading to public code repositories.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1195 | Supply Chain Compromise |
Comments
This diagnostic statement provides for the use of secure development processes and procedures. This includes being cautious when selecting third-party libraries to integrate into applications.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement provides for the use of secure development processes and procedures. This includes being cautious when selecting third-party libraries to integrate into applications.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement provides secure application development, such as implementing token binding strategies to help prevent the malicious use of application access tokens.
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1078.001 | Default Accounts |
Comments
This diagnostic statement provides for secure system development, which includes ensuring that applications do not store sensitive data or valid account credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement provides for the use of secure development processes and procedures. This includes being cautious when selecting third-party libraries to integrate into applications.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027 | Obfuscated Files or Information |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.002 | Software Packing |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.009 | Embedded Payloads |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.010 | Command Obfuscation |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.012 | LNK Icon Smuggling |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.014 | Polymorphic Code |
Comments
This diagnostic statement provides protections for endpoints from obfuscated files or information through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1036 | Masquerading |
Comments
This diagnostic statement provides protections for endpoints from masquerading or manipulated artifacts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1036.008 | Masquerade File Type |
Comments
This diagnostic statement provides protections for endpoints from masquerading or manipulated artifacts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement protects endpoints from abuse of commands and scripts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement protects endpoints from abuse of commands and scripts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059.005 | Visual Basic |
Comments
This diagnostic statement protects endpoints from abuse of commands and scripts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059.006 | Python |
Comments
This diagnostic statement protects endpoints from abuse of commands and scripts through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1091 | Replication Through Removable Media |
Comments
This diagnostic statement protects endpoints from untrusted files on removable drives through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement protects endpoints from introduction of hardware additions through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.001 | DLL Search Order Hijacking |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.002 | DLL Side-Loading |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.006 | Dynamic Linker Hijacking |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.006 | Dynamic Linker Hijacking |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.007 | Path Interception by PATH Environment Variable |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.008 | Path Interception by Search Order Hijacking |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.009 | Path Interception by Unquoted Path |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.012 | COR_PROFILER |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.013 | KernelCallbackTable |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1003.006 | DCSync |
Comments
This diagnostic statement protects against DCSync through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1003.007 | Proc Filesystem |
Comments
This diagnostic statement protects against Proc Filesystem through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1003.008 | /etc/passwd and /etc/shadow |
Comments
This diagnostic statement protects against /etc/passwd and /etc/shadow through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement protects against Remote Services through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement protects against Remote Desktop Protocol through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
This diagnostic statement protects against SMB/Windows Admin Shares through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021.003 | Distributed Component Object Model |
Comments
This diagnostic statement protects against Distributed Component Object Model through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021.004 | SSH |
Comments
This diagnostic statement protects against SSH through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021.006 | Windows Remote Management |
Comments
This diagnostic statement protects against Windows Remote Management through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1021.007 | Cloud Services |
Comments
This diagnostic statement protects against Cloud Services through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1040 | Network Sniffing |
Comments
This diagnostic statement protects against Network Sniffing through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1047 | Windows Management Instrumentation |
Comments
This diagnostic statement protects against Windows Management Instrumentation through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1053 | Scheduled Task/Job |
Comments
This diagnostic statement protects against Scheduled Task/Job through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1053.002 | At |
Comments
This diagnostic statement protects against At through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1053.005 | Scheduled Task |
Comments
This diagnostic statement protects against Scheduled Task through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1053.006 | Systemd Timers |
Comments
This diagnostic statement protects against Systemd Timers through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1053.007 | Container Orchestration Job |
Comments
This diagnostic statement protects against Container Orchestration Job through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1055 | Process Injection |
Comments
This diagnostic statement protects against Process Injection through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1055.008 | Ptrace System Calls |
Comments
This diagnostic statement protects against Ptrace System Calls through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1056 | Input Capture |
Comments
This diagnostic statement protects against Input Capture through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1056.003 | Web Portal Capture |
Comments
This diagnostic statement protects against Web Portal Capture through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement protects against Command and Scripting Interpreter through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement protects against PowerShell through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1059.008 | Network Device CLI |
Comments
This diagnostic statement protects against Network Device CLI through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1059.009 | Cloud API |
Comments
This diagnostic statement protects against Cloud API through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement protects against Software Deployment Tools through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement protects against Valid Accounts through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1078.001 | Default Accounts |
Comments
This diagnostic statement protects against Default Accounts through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1078.002 | Domain Accounts |
Comments
This diagnostic statement protects against Domain Accounts through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement protects against Local Accounts through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1078.004 | Cloud Accounts |
Comments
This diagnostic statement protects against Cloud Accounts through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement protects against Account Manipulation through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This diagnostic statement protects against Additional Cloud Credentials through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098.002 | Additional Email Delegate Permissions |
Comments
This diagnostic statement protects against Additional Email Delegate Permissions through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement protects against Additional Cloud Roles through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098.005 | Device Registration |
Comments
This diagnostic statement protects against Device Registration through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098.006 | Additional Container Cluster Roles |
Comments
This diagnostic statement protects against Additional Container Cluster Roles through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1110 | Brute Force |
Comments
This diagnostic statement protects against Brute Force through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1110.001 | Password Guessing |
Comments
This diagnostic statement protects against Password Guessing through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1110.002 | Password Cracking |
Comments
This diagnostic statement protects against Password Cracking through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1110.003 | Password Spraying |
Comments
This diagnostic statement protects against Password Spraying through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1110.004 | Credential Stuffing |
Comments
This diagnostic statement protects against Credential Stuffing through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement protects against Email Collection through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1114.002 | Remote Email Collection |
Comments
This diagnostic statement protects against Remote Email Collection through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1134 | Access Token Manipulation |
Comments
This diagnostic statement protects against Access Token Manipulation through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1134.001 | Token Impersonation/Theft |
Comments
This diagnostic statement protects against Token Impersonation/Theft through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1134.002 | Create Process with Token |
Comments
This diagnostic statement protects against Create Process with Token through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1134.003 | Make and Impersonate Token |
Comments
This diagnostic statement protects against Make and Impersonate Token through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement protects against Create Account through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement protects against Local Account through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement protects against Domain Account through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement protects against Cloud Account through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This diagnostic statement protects against Exploit Public-Facing Application through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement protects against Trusted Relationship through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement protects against Exploitation of Remote Services through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement protects against Data from Information Repositories through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1213.003 | Code Repositories |
Comments
This diagnostic statement protects against Code Repositories through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement protects against System Binary Proxy Execution through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1218.007 | Msiexec |
Comments
This diagnostic statement protects against Msiexec through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1222 | File and Directory Permissions Modification |
Comments
This diagnostic statement protects against File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1222.001 | Windows File and Directory Permissions Modification |
Comments
This diagnostic statement protects against Windows File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1222.002 | Linux and Mac File and Directory Permissions Modification |
Comments
This diagnostic statement protects against Linux and Mac File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1484 | Domain or Tenant Policy Modification |
Comments
This diagnostic statement protects against Domain or Tenant Policy Modification through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1484.002 | Trust Modification |
Comments
This diagnostic statement protects against Trust Modification through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1485 | Data Destruction |
Comments
This diagnostic statement protects against Data Destruction through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement protects against Firmware Corruption through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1505 | Server Software Component |
Comments
This diagnostic statement protects against Server Software Component through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1505.001 | SQL Stored Procedures |
Comments
This diagnostic statement protects against SQL Stored Procedures through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1505.002 | Transport Agent |
Comments
This diagnostic statement protects against Transport Agent through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1505.004 | IIS Components |
Comments
This diagnostic statement protects against IIS Components through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1525 | Implant Internal Image |
Comments
This diagnostic statement protects against Implant Internal Image through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement protects against Data from Cloud Storage through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement protects against Steal Web Session Cookie through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement protects against Pre-OS Boot through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement protects against System Firmware through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1542.003 | Bootkit |
Comments
This diagnostic statement protects against Bootkit through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement protects against TFTP Boot through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement protects against Create or Modify System Process through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1543.002 | Systemd Service |
Comments
This diagnostic statement protects against Systemd Service through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1546 | Event Triggered Execution |
Comments
This diagnostic statement protects against Event Triggered Execution through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1546.003 | Windows Management Instrumentation Event Subscription |
Comments
This diagnostic statement protects against Windows Management Instrumentation Event Subscription through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1547 | Boot or Logon Autostart Execution |
Comments
This diagnostic statement protects against Boot or Logon Autostart Execution through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1547.006 | Kernel Modules and Extensions |
Comments
This diagnostic statement protects against Kernel Modules and Extensions through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement protects against Abuse Elevation Control Mechanism through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1548.002 | Bypass User Account Control |
Comments
This diagnostic statement protects against Bypass User Account Control through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1548.003 | Sudo and Sudo Caching |
Comments
This diagnostic statement protects against Sudo and Sudo Caching through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1548.006 | TCC Manipulation |
Comments
This diagnostic statement protects against TCC Manipulation through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement protects against Use Alternate Authentication Material through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1550.002 | Pass the Hash |
Comments
This diagnostic statement protects against Pass the Hash through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement protects against Pass the Ticket through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1552.002 | Credentials in Registry |
Comments
This diagnostic statement protects against Credentials in Registry through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1552.007 | Container API |
Comments
This diagnostic statement protects against Container API through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement protects against Subvert Trust Controls through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1553.006 | Code Signing Policy Modification |
Comments
This diagnostic statement protects against Code Signing Policy Modification through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1555 | Credentials from Password Stores |
Comments
This diagnostic statement protects against Credentials from Password Stores through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1555.006 | Cloud Secrets Management Stores |
Comments
This diagnostic statement protects against Cloud Secrets Management Stores through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement protects against Domain Controller Authentication through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1556.003 | Pluggable Authentication Modules |
Comments
This diagnostic statement protects against Pluggable Authentication Modules through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement protects against Network Device Authentication through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1556.005 | Reversible Encryption |
Comments
This diagnostic statement protects against Reversible Encryption through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1556.006 | Multi-Factor Authentication |
Comments
This diagnostic statement protects against Multi-Factor Authentication through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement protects against Hybrid Identity through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1558.001 | Golden Ticket |
Comments
This diagnostic statement protects against Golden Ticket through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement protects against Silver Ticket through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement protects against Kerberoasting through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1559 | Inter-Process Communication |
Comments
This diagnostic statement protects against Inter-Process Communication through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1559.001 | Component Object Model |
Comments
This diagnostic statement protects against Component Object Model through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement protects against Impair Defenses through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1562.009 | Safe Mode Boot |
Comments
This diagnostic statement protects against Safe Mode Boot through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1563 | Remote Service Session Hijacking |
Comments
This diagnostic statement protects against Remote Service Session Hijacking through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1563.001 | SSH Hijacking |
Comments
This diagnostic statement protects against SSH Hijacking through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement protects against RDP Hijacking through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1569 | System Services |
Comments
This diagnostic statement protects against System Services through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1569.002 | Service Execution |
Comments
This diagnostic statement protects against Service Execution through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1599 | Network Boundary Bridging |
Comments
This diagnostic statement protects against Network Boundary Bridging through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement protects against Network Address Translation Traversal through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement protects against Modify System Image through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1601.001 | Patch System Image |
Comments
This diagnostic statement protects against Patch System Image through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1601.002 | Downgrade System Image |
Comments
This diagnostic statement protects against Downgrade System Image through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1606 | Forge Web Credentials |
Comments
This diagnostic statement protects against Forge Web Credentials through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement protects against SAML Tokens through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1609 | Container Administration Command |
Comments
This diagnostic statement protects against Container Administration Command through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1611 | Escape to Host |
Comments
This diagnostic statement protects against Escape to Host through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1612 | Build Image on Host |
Comments
This diagnostic statement protects against Build Image on Host through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1621 | Multi-Factor Authentication Request Generation |
Comments
This diagnostic statement protects against Multi-Factor Authentication Request Generation through the use of privileged account management and the use of multi-factor authentication.
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement protects against Cloud Administration Command through the use of privileged account management and the use of multi-factor authentication.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects against OS Credential Dumping through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1003.001 | LSASS Memory |
Comments
This diagnostic statement protects against LSASS Memory through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1036 | Masquerading |
Comments
This diagnostic statement protects against Masquerading through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1036.001 | Invalid Code Signature |
Comments
This diagnostic statement protects against Invalid Code Signature through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1036.005 | Match Legitimate Name or Location |
Comments
This diagnostic statement protects against Match Legitimate Name or Location through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement protects against Command and Scripting Interpreter through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement protects against PowerShell through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1059.002 | AppleScript |
Comments
This diagnostic statement protects against AppleScript through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1127 | Trusted Developer Utilities Proxy Execution |
Comments
This diagnostic statement protects against Trusted Developer Utilities Proxy Execution through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1127.002 | ClickOnce |
Comments
This diagnostic statement protects against ClickOnce through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1176 | Browser Extensions |
Comments
This diagnostic statement protects against Browser Extensions through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1195 | Supply Chain Compromise |
Comments
This diagnostic statement protects against Supply Chain Compromise through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement protects against Compromise Software Dependencies and Development Tools through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1204.003 | Malicious Image |
Comments
This diagnostic statement protects against Malicious Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1213.004 | Customer Relationship Management Software |
Comments
This diagnostic statement protects against Customer Relationship Management Software through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement protects against Firmware Corruption through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1505 | Server Software Component |
Comments
This diagnostic statement protects against Server Software Component through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1505.001 | SQL Stored Procedures |
Comments
This diagnostic statement protects against SQL Stored Procedures through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1505.002 | Transport Agent |
Comments
This diagnostic statement protects against Transport Agent through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1505.004 | IIS Components |
Comments
This diagnostic statement protects against IIS Components through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1525 | Implant Internal Image |
Comments
This diagnostic statement protects against Implant Internal Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement protects against Transfer Data to Cloud Account through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement protects against Steal Web Session Cookie through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement protects against Pre-OS Boot through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement protects against System Firmware through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1542.003 | Bootkit |
Comments
This diagnostic statement protects against Bootkit through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1542.004 | ROMMONkit |
Comments
This diagnostic statement protects against ROMMONkit through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement protects against TFTP Boot through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement protects against Create or Modify System Process through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1543.002 | Systemd Service |
Comments
This diagnostic statement protects against Systemd Service through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1543.003 | Windows Service |
Comments
This diagnostic statement protects against Windows Service through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1546.006 | LC_LOAD_DYLIB Addition |
Comments
This diagnostic statement protects against LC_LOAD_DYLIB Addition through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1546.013 | PowerShell Profile |
Comments
This diagnostic statement protects against PowerShell Profile through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1547.002 | Authentication Package |
Comments
This diagnostic statement protects against Authentication Package through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1547.005 | Security Support Provider |
Comments
This diagnostic statement protects against Security Support Provider through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1547.008 | LSASS Driver |
Comments
This diagnostic statement protects against LSASS Driver through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1547.013 | XDG Autostart Entries |
Comments
This diagnostic statement protects against XDG Autostart Entries through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1553.006 | Code Signing Policy Modification |
Comments
This diagnostic statement protects against Code Signing Policy Modification through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1554 | Compromise Host Software Binary |
Comments
This diagnostic statement protects against Compromise Host Software Binary through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement protects against Domain Controller Authentication through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement protects against Hijack Execution Flow through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1574.001 | DLL Search Order Hijacking |
Comments
This diagnostic statement protects against DLL Search Order Hijacking through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement protects against Modify System Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1601.001 | Patch System Image |
Comments
This diagnostic statement protects against Patch System Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1601.002 | Downgrade System Image |
Comments
This diagnostic statement protects against Downgrade System Image through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement protects against Abuse Elevation Control Mechanism through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1548.002 | Bypass User Account Control |
Comments
This diagnostic statement protects against Bypass User Account Control through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1548.003 | Sudo and Sudo Caching |
Comments
This diagnostic statement protects against Sudo and Sudo Caching through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1548.006 | TCC Manipulation |
Comments
This diagnostic statement protects against TCC Manipulation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1134 | Access Token Manipulation |
Comments
This diagnostic statement protects against Access Token Manipulation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1134.001 | Token Impersonation/Theft |
Comments
This diagnostic statement protects against Token Impersonation/Theft through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1134.002 | Create Process with Token |
Comments
This diagnostic statement protects against Create Process with Token through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1134.003 | Make and Impersonate Token |
Comments
This diagnostic statement protects against Make and Impersonate Token through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement protects against Account Manipulation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This diagnostic statement protects against Additional Cloud Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1098.002 | Additional Email Delegate Permissions |
Comments
This diagnostic statement protects against Additional Email Delegate Permissions through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement protects against Additional Cloud Roles through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement protects against Cloud Administration Command through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement protects against PowerShell through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1059.008 | Network Device CLI |
Comments
This diagnostic statement protects against Network Device CLI through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1059.009 | Cloud API |
Comments
This diagnostic statement protects against Cloud API through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1609 | Container Administration Command |
Comments
This diagnostic statement protects against Container Administration Command through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement protects against Local Account through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement protects against Domain Account through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement protects against Cloud Account through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1555 | Credentials from Password Stores |
Comments
This diagnostic statement protects against Credentials from Password Stores through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1555.006 | Cloud Secrets Management Stores |
Comments
This diagnostic statement protects against Cloud Secrets Management Stores through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1484 | Domain or Tenant Policy Modification |
Comments
This diagnostic statement protects against Domain or Tenant Policy Modification through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1484.002 | Trust Modification |
Comments
This diagnostic statement protects against Trust Modification through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This diagnostic statement protects against Exploit Public-Facing Application through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement protects against Exploitation of Remote Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1606 | Forge Web Credentials |
Comments
This diagnostic statement protects against Forge Web Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement protects against SAML Tokens through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1056.003 | Web Portal Capture |
Comments
This diagnostic statement protects against Web Portal Capture through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement protects against Domain Controller Authentication through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1556.003 | Pluggable Authentication Modules |
Comments
This diagnostic statement protects against Pluggable Authentication Modules through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement protects against Network Device Authentication through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement protects against Hybrid Identity through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1599 | Network Boundary Bridging |
Comments
This diagnostic statement protects against Network Boundary Bridging through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement protects against Network Address Translation Traversal through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects against OS Credential Dumping through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1003.001 | LSASS Memory |
Comments
This diagnostic statement protects against LSASS Memory through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1003.002 | Security Account Manager |
Comments
This diagnostic statement protects against Security Account Manager through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects against NTDS through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1003.004 | LSA Secrets |
Comments
This diagnostic statement protects against LSA Secrets through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1003.005 | Cached Domain Credentials |
Comments
This diagnostic statement protects against Cached Domain Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1003.006 | DCSync |
Comments
This diagnostic statement protects against DCSync through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1003.007 | Proc Filesystem |
Comments
This diagnostic statement protects against Proc Filesystem through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1003.008 | /etc/passwd and /etc/shadow |
Comments
This diagnostic statement protects against /etc/passwd and /etc/shadow through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1563 | Remote Service Session Hijacking |
Comments
This diagnostic statement protects against Remote Service Session Hijacking through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1563.001 | SSH Hijacking |
Comments
This diagnostic statement protects against SSH Hijacking through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement protects against RDP Hijacking through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement protects against Remote Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement protects against Remote Desktop Protocol through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
This diagnostic statement protects against SMB/Windows Admin Shares through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1021.003 | Distributed Component Object Model |
Comments
This diagnostic statement protects against Distributed Component Object Model through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1021.006 | Windows Remote Management |
Comments
This diagnostic statement protects against Windows Remote Management through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1021.007 | Cloud Services |
Comments
This diagnostic statement protects against Cloud Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1505 | Server Software Component |
Comments
This diagnostic statement protects against Server Software Component through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement protects against Software Deployment Tools through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1558.001 | Golden Ticket |
Comments
This diagnostic statement protects against Golden Ticket through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement protects against Silver Ticket through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement protects against Kerberoasting through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement protects against System Binary Proxy Execution through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1569 | System Services |
Comments
This diagnostic statement protects against System Services through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1552.002 | Credentials in Registry |
Comments
This diagnostic statement protects against Credentials in Registry through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1552.007 | Container API |
Comments
This diagnostic statement protects against Container API through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement protects against Use Alternate Authentication Material through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1550.002 | Pass the Hash |
Comments
This diagnostic statement protects against Pass the Hash through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement protects against Pass the Ticket through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement protects against Valid Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1078.002 | Domain Accounts |
Comments
This diagnostic statement protects against Domain Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement protects against Local Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1078.004 | Cloud Accounts |
Comments
This diagnostic statement protects against Cloud Accounts through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1047 | Windows Management Instrumentation |
Comments
This diagnostic statement protects against Windows Management Instrumentation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1505 | Server Software Component |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1036.001 | Invalid Code Signature |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1554 | Compromise Host Software Binary |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1203 | Exploitation for Client Execution |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1212 | Exploitation for Credential Access |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1127 | Trusted Developer Utilities Proxy Execution |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1021.007 | Cloud Services |
Comments
This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing control limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally in the cloud environment.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1021.004 | SSH |
Comments
This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement provides protection from Modify Authentication Process through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify credentials.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement provides protection from Modify Authentication Process through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify credentials.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1110.004 | Credential Stuffing |
Comments
This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1110.003 | Password Spraying |
Comments
This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1110.001 | Password Guessing |
Comments
This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1110 | Brute Force |
Comments
This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1098.006 | Additional Container Cluster Roles |
Comments
This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1098.005 | Device Registration |
Comments
This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1586.003 | Cloud Accounts |
Comments
This diagnostic statement provides protection from Compromise Accounts through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1087.001 | Local Account |
Comments
This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1087.002 | Domain Account |
Comments
This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1078.001 | Default Accounts |
Comments
This diagnostic statement provides protection from Valid Accounts through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, provisioning accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to use default accounts.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement provides protection from Valid Accounts through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, provisioning accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to use existing accounts.
|
| PR.AA-04.01 | Access control within and across security perimeters | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement provides protection from Abuse Elevation Control Mechanism through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts such as removing accounts from the Adminstrators group, access control mechanisms, and auditing the attribution logs provides some protection against adversaries attempting to abuse the elevation control mechanism.
|
| PR.AA-04.01 | Access control within and across security perimeters | Mitigates | T1565 | Data Manipulation |
Comments
This diagnostic statement provides protection from Data Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify data without being observed.
|
| PR.AA-04.01 | Access control within and across security perimeters | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement provides protection from Data from Information Repositories through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to access sensitive data in information repositories.
|
| PR.AA-04.01 | Access control within and across security perimeters | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.
|
| PR.AA-04.01 | Access control within and across security perimeters | Mitigates | T1087.004 | Cloud Account |
Comments
This diagnostic statement provides protection from Cloud Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.
|
| DE.CM-09.02 | Hardware integrity checking | Mitigates | T1562.001 | Disable or Modify Tools |
Comments
This diagnostic statement provides protection from Disable or Modify Tools through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
|
| DE.CM-09.02 | Hardware integrity checking | Mitigates | T1091 | Replication Through Removable Media |
Comments
This diagnostic statement provides protection from Replication Through Removable Media through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
|
| DE.CM-09.02 | Hardware integrity checking | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement provides protection from Pre-OS Boot through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
|
| DE.CM-09.02 | Hardware integrity checking | Mitigates | T1542.002 | Component Firmware |
Comments
This diagnostic statement provides protection from Component Firmware through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
|
| DE.CM-09.02 | Hardware integrity checking | Mitigates | T1600.002 | Disable Crypto Hardware |
Comments
This diagnostic statement provides protection from Disable Crypto Hardware through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
|
| DE.CM-09.02 | Hardware integrity checking | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement provides protection from Firmware Corruption through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
|
| DE.CM-09.02 | Hardware integrity checking | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement provides protection from System Firmware through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
|
| DE.CM-09.02 | Hardware integrity checking | Mitigates | T1195.003 | Compromise Hardware Supply Chain |
Comments
This diagnostic statement provides protection from Compromise Hardware Supply Chain through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
|
| DE.CM-01.04 | Unauthorized device connection | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement provides protection from hardware additions through the use of tools to detect and block the use of unauthorized or unknown devices and accessories by endpoint security configuration and monitoring.
|
| DE.CM-01.04 | Unauthorized device connection | Mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
This diagnostic statement provides protection from exfiltration of data via a physical medium, such as a removable drive by using tools to detect and block the use of unauthorized devices.
|
| DE.CM-01.04 | Unauthorized device connection | Mitigates | T1052.001 | Exfiltration over USB |
Comments
This diagnostic statement provides protection from exfiltration of data via a physical medium, such as a removable drive by using tools to detect and block the use of unauthorized devices.
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1102 | Web Service |
Comments
This diagnostic statement provides protection from Web Service by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement provides protection from Protocol Tunneling by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1571 | Non-Standard Port |
Comments
This diagnostic statement provides protection from Non-Standard Port by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1104 | Multi-Stage Channels |
Comments
This diagnostic statement provides protection from Multi-Stage Channels by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1008 | Fallback Channels |
Comments
This diagnostic statement provides protection from Fallback Channels by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This diagnostic statement provides protection from Exfiltration Over C2 Channel by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1090 | Proxy |
Comments
This diagnostic statement provides protection from Proxy by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1030 | Data Transfer Size Limits |
Comments
This diagnostic statement provides protection from Data Transfer Size Limits by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1095 | Non-Application Layer Protocol |
Comments
This diagnostic statement provides protection from Non-Application Layer Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1599 | Network Boundary Bridging |
Comments
This diagnostic statement provides protection from Network Boundary Bridging by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This diagnostic statement provides protection from Exfiltration Over Unencrypted Non-C2 Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement provides protection from Exfiltration Over Asymmetric Encrypted Non-C2 Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement provides protection from Exfiltration Over Symmetric Encrypted Non-C2 Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement provides protection from Exfiltration Over Alternative Protocol by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
|
| PR.DS-02.01 | Data-in-transit protection | Mitigates | T1040 | Network Sniffing |
Comments
This diagnostic statement protects adversaries from being able to access data in transit over networks. Encrypting information and files by utilizing authentication protocols, such as Kerberos, can ensure web traffic that may contain credentials is protected by SSL/TLS.
|
| PR.DS-02.01 | Data-in-transit protection | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement provides another layer of protection from adversaries trying to gain access to data that is en route to storage or other systems.
|
| PR.DS-02.01 | Data-in-transit protection | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement provide protection from adversaries that may possibly use stolen Kerberos tickets. Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization.
|
| PR.DS-02.01 | Data-in-transit protection | Mitigates | T1550.002 | Pass the Hash |
Comments
This diagnostic statement provide protection from adversaries that may possibly utilize stolen password hashes. Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization.
|
| PR.DS-02.01 | Data-in-transit protection | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement provide protection from adversaries that may possibly bypass the authentication process and use stolen tokens. Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization.
|
| PR.DS-02.01 | Data-in-transit protection | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement provide protection from adversaries that may possibly attack via alternate authentication methods. Various methods should be used to protect data-in-transit including encryption, password hashing, and tokenization.
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1005 | Data from Local System |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1040 | Network Sniffing |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1565.001 | Stored Data Manipulation |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1557.002 | ARP Cache Poisoning |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
|
| PR.DS-01.01 | Data-at-rest protection | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement focuses on protecting data-at-rest by implementing encryption and other security measures such as sandboxing, authentication, segregation, masking, tokenization, and file integrity monitoring.
|
| PR.DS-01.03 | Removable media protection | Mitigates | T1030 | Data Transfer Size Limits |
Comments
This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity.
|
| PR.DS-01.03 | Removable media protection | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity.
|
| PR.DS-01.03 | Removable media protection | Mitigates | T1092 | Communication Through Removable Media |
Comments
This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity.
|
| PR.DS-01.03 | Removable media protection | Mitigates | T1025 | Data from Removable Media |
Comments
This diagnostic statement focuses on restricting the use of removable media devices (e.g., USB drives, CDs, DVDs) to prevent unauthorized access, data leakage, or malicious activity.
|
| PR.DS-01.02 | Data loss prevention | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
|
| PR.DS-01.02 | Data loss prevention | Mitigates | T1567.004 | Exfiltration Over Webhook |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
|
| PR.DS-01.02 | Data loss prevention | Mitigates | T1052.001 | Exfiltration over USB |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
|
| PR.DS-01.02 | Data loss prevention | Mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
|
| PR.DS-01.02 | Data loss prevention | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
|
| PR.DS-01.02 | Data loss prevention | Mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
|
| PR.DS-01.02 | Data loss prevention | Mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
|
| PR.DS-01.02 | Data loss prevention | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
|
| PR.DS-01.02 | Data loss prevention | Mitigates | T1025 | Data from Removable Media |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
|
| PR.DS-01.02 | Data loss prevention | Mitigates | T1005 | Data from Local System |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
|
| PR.DS-01.02 | Data loss prevention | Mitigates | T1020.001 | Traffic Duplication |
Comments
The use of data loss prevention controls may mitigate the techniques related to data leakage and loss from local systems, automated exfiltration, and exfiltration over non-approved services.
|
| PR.AA-03.03 | Email verification mechanisms | Mitigates | T1114.003 | Email Forwarding Rule |
Comments
This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as encryption is recommended to minimize the risk of adversaries collecting user's credentials via email forwarding rules to collect credentials and other sensitive information.
|
| PR.AA-03.03 | Email verification mechanisms | Mitigates | T1114.002 | Remote Email Collection |
Comments
This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as encryption and MFA are recommended to minimize the risk of adversaries collecting user's credentials via exchange servers from within a network.
|
| PR.AA-03.03 | Email verification mechanisms | Mitigates | T1114.001 | Local Email Collection |
Comments
This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as encryption and using public cryptic keys are recommended to minimize the risk of adversaries collecting information from files saved on email servers and caches.
|
| PR.AA-03.03 | Email verification mechanisms | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as MFA is recommended to minimize the risk of adversaries collecting usernames and passwords.
|
| PR.AA-03.03 | Email verification mechanisms | Mitigates | T1598 | Phishing for Information |
Comments
This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send phishing messages through the form of emails, instant messages, etc. to gain sensitive information.
|
| PR.AA-03.03 | Email verification mechanisms | Mitigates | T1598.002 | Spearphishing Attachment |
Comments
This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious attachment to gain elicit sensitive information.
|
| PR.AA-03.03 | Email verification mechanisms | Mitigates | T1598.003 | Spearphishing Link |
Comments
This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious link to gain elicit sensitive information.
|
| PR.AA-03.03 | Email verification mechanisms | Mitigates | T1566.002 | Spearphishing Link |
Comments
This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious link.
|
| PR.AA-03.03 | Email verification mechanisms | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious attachment.
|
| PR.AA-03.03 | Email verification mechanisms | Mitigates | T1566 | Phishing |
Comments
This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication.
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1212 | Exploitation for Credential Access |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1203 | Exploitation for Client Execution |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1195 | Supply Chain Compromise |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. Scanning and addressing vulnerabilities in software dependencies can help reduce the attack surface for the organization and protect against adversaries looking for ways to access its systems.
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. Scanning and addressing vulnerabilities in software dependencies can help reduce the attack surface for the organization and protect against adversaries looking for ways to access its systems.
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. Scanning and addressing vulnerabilities in software dependencies and development tools can help reduce the attack surface for the organization and protect against adversaries looking for ways to access its systems.
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
|
| DE.CM-09.03 | Unauthorized software, hardware, or configuration changes | Mitigates | T1543 | Create or Modify System Process |
Comments
This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
|
| DE.CM-09.03 | Unauthorized software, hardware, or configuration changes | Mitigates | T1601 | Modify System Image |
Comments
This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
|
| DE.CM-09.03 | Unauthorized software, hardware, or configuration changes | Mitigates | T1556 | Modify Authentication Process |
Comments
This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
|
| DE.CM-09.03 | Unauthorized software, hardware, or configuration changes | Mitigates | T1542.002 | Component Firmware |
Comments
This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
|
| DE.CM-09.03 | Unauthorized software, hardware, or configuration changes | Mitigates | T1542.001 | System Firmware |
Comments
This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
|
| DE.CM-09.03 | Unauthorized software, hardware, or configuration changes | Mitigates | T1495 | Firmware Corruption |
Comments
This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
|
| DE.CM-09.03 | Unauthorized software, hardware, or configuration changes | Mitigates | T1562 | Impair Defenses |
Comments
This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1566.002 | Spearphishing Link |
Comments
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1566.004 | Spearphishing Voice |
Comments
Anti-virus can also automatically quarantine suspicious files sent through messages via services, social media , personal webmail, etc.
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1566.003 | Spearphishing via Service |
Comments
Anti-virus can also automatically quarantine suspicious files sent through messages via services, social media , personal webmail, etc.
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1071.003 | Mail Protocols |
Comments
Network intrusion prevention techniques can be utilized to detect traffic for specific adversary malware, in hopes of being mitigated at the network level.
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1598.003 | Spearphishing Link |
Comments
Certain software configuration techniques can be utilized to detect and isolate spearphishing messages found with malicious attachments. Email authentication mechanisms allow malicious links to be filtered, detected and blocked, enabling users not to
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1598 | Phishing for Information |
Comments
Certain software configuration techniques can be utilized to detect and isolate spearphishing messages found with malicious attachments.
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1204.002 | Malicious File |
Comments
Tools that detect and block and remove malware provide protection from users deceived into opening malicious attachments or files that can be found in emails (spearphishing).
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1204.001 | Malicious Link |
Comments
Tools that detect and block and remove malware provide protection from users deceived into opening malicious documents, clicking on phishing links, or executing downloaded malware.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1080 | Taint Shared Content |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1566.003 | Spearphishing via Service |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files and links, protecting against harmful files, websites, and downloads.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files and links, protecting against harmful files, websites, and downloads.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1566 | Phishing |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files and links, protecting against harmful files, websites, and downloads.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1027.014 | Polymorphic Code |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding or obfuscating.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding or obfuscating.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1027.010 | Command Obfuscation |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious Windows 10+ commands that adversaries have made difficult to discover by encrypting, encoding or obfuscating.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1027.009 | Embedded Payloads |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding, or obfuscating.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1027.002 | Software Packing |
Comments
Heuristic-based malware detection and signatures for observed malware can be used to identify known software packers or artifacts of packing techniques that conceal malicious content.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1547.006 | Kernel Modules and Extensions |
Comments
Antivirus/Antimalware software should be utilized to detect and quarantine suspicious files that adversaries have made difficult to discover by encrypting, encoding or obfuscating its contents on the system.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1036.008 | Masquerade File Type |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have manipulated to appear legitimate or benign.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1036 | Masquerading |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have manipulated to appear legitimate or benign.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1059.006 | Python |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1059.005 | Visual Basic |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1059.001 | PowerShell |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts.
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts.
|
| PR.DS-11.01 | Data backup and replication | Mitigates | T1565.001 | Stored Data Manipulation |
Comments
This diagnostic statement provides protection from adversaries that try to manipulate and/or modify data at rest, which harms the integrity of data. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.
|
| PR.DS-11.01 | Data backup and replication | Mitigates | T1565 | Data Manipulation |
Comments
This diagnostic statement provides protection from adversaries that try to manipulate, modify and/or harm the integrity of data. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.
|
| PR.DS-11.01 | Data backup and replication | Mitigates | T1561.002 | Disk Structure Wipe |
Comments
This diagnostic statement protects adversaries that can wipe/corrupt disk data structures on a hard drive. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite while targeting critical systems
|
| PR.DS-11.01 | Data backup and replication | Mitigates | T1561.001 | Disk Content Wipe |
Comments
This diagnostic statement protects adversaries that can wipe/corrupt contents of storage device data. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite.
|
| PR.DS-11.01 | Data backup and replication | Mitigates | T1561 | Disk Wipe |
Comments
This diagnostic statement protects adversaries that can wipe/corrupt raw disk data on systems. Implementing data backup or disaster recovery plan can be used to restore organizational data that adversaries may have attempted to overwrite.
|
| PR.DS-11.01 | Data backup and replication | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement provides protection from adversaries that try to remove built in data and/or turn off services that are used to help with the recovery of corrupted systems. Ensuring backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery is a way to deny adversaries access to available backup and recovery options
|
| PR.DS-11.01 | Data backup and replication | Mitigates | T1486 | Data Encrypted for Impact |
Comments
This diagnostic statement provides protection from adversaries that may encrypt data on target systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. Implementing data backup or disaster recovery plan can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
|
| PR.DS-11.01 | Data backup and replication | Mitigates | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This diagnostic statement provides protection from adversaries that may modify lifecycle policies of cloud storage bucket to destroy all objects stored within. Implementing data backup or disaster recovery plan can be used to restore organizational data.
|
| PR.DS-11.01 | Data backup and replication | Mitigates | T1485 | Data Destruction |
Comments
This diagnostic statement provides protection from adversaries that may try to destroy data and files on systems or on a network/network resource. Implementing data backup or disaster recovery plan can be used to restore organizational data.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1567 | Exfiltration Over Web Service |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1052.001 | Exfiltration over USB |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1025 | Data from Removable Media |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1005 | Data from Local System |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1040 | Network Sniffing |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1070 | Indicator Removal |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1565.001 | Stored Data Manipulation |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1565 | Data Manipulation |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1213 | Data from Information Repositories |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1602 | Data from Configuration Repository |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1530 | Data from Cloud Storage |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1020 | Automated Exfiltration |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.DS-10.01 | Data-in-use protection | Mitigates | T1119 | Automated Collection |
Comments
This Diagnostic Statement describes mitigations related to protecting data-in-use, mentioning encryption, access control methods and authentication. Using encryption for data-in-use, alongside other safeguards such for restricting exfiltration of sensitive data aid with mitigating collection and exfiltration threats.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1552.007 | Container API |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1505 | Server Software Component |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1578 | Modify Cloud Compute Infrastructure |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1562.012 | Disable or Modify Linux Audit System |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1610 | Deploy Container |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1613 | Container and Resource Discovery |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1609 | Container Administration Command |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1580 | Cloud Infrastructure Discovery |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1547.009 | Shortcut Modification |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1087.004 | Cloud Account |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1134.003 | Make and Impersonate Token |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1134.002 | Create Process with Token |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1134.001 | Token Impersonation/Theft |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1134 | Access Token Manipulation |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1574.012 | COR_PROFILER |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys associated with COR_PROFILER.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1574.011 | Services Registry Permissions Weakness |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1037.001 | Logon Script (Windows) |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1037 | Boot or Logon Initialization Scripts |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1565 | Data Manipulation |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1525 | Implant Internal Image |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1562.009 | Safe Mode Boot |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1484.002 | Trust Modification |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Use the principal of least privilege and protect administrative access to domain trusts and identity tenants.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1484 | Domain or Tenant Policy Modification |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limiting access to file shares, remote access to systems, unnecessary services.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Establish network access control policies, such as using device certificates and the 802.1x standard. Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions.
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper Registry permissions are in place to prevent unnecessary users and adversaries from disabling or interfering with security/logging services.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement protects adversaries from using tunneling to encapsulate a protocol within another protocol. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1090.002 | External Proxy |
Comments
This diagnostic statement protects adversaries from infiltrating external proxies and taking over control of traffic between systems. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1090.001 | Internal Proxy |
Comments
This diagnostic statement protects adversaries from infiltrating internal proxies and taking over control of traffic between systems. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1090 | Proxy |
Comments
This diagnostic statement protects adversaries from redirecting network traffic between systems by infiltrating connection proxies. Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1102.003 | One-Way Communication |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware that can be used to mitigate malicious activity and identify adversaries that use web services to obfuscate domains or IP addresses over web service channel.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1102.002 | Bidirectional Communication |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware that can be used to mitigate malicious activity and identify adversaries that use web services to obfuscate domains or IP addresses over web service channel.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1102.001 | Dead Drop Resolver |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware that can be used to mitigate malicious activity and identify adversaries that use web services to obfuscate domains or IP addresses.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1102 | Web Service |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate malicious activity and identify adversaries that can relay data from a compromised systems through websites, cloud service, or social media.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1204.003 | Malicious Image |
Comments
In order to protect users from being victims of social engineering attacks, network intrusion prevention techniques can be used to scan and block malicious images so those images can't lead to malicious code being executed.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1204.001 | Malicious Link |
Comments
In order to protect users from being victims of social engineering attacks, network intrusion prevention techniques can be used to scan and block malicious downloads and malicious activity.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1204 | User Execution |
Comments
In order to protect users from being victims of social engineering attacks, network intrusion prevention techniques can be used to scan and block malicious code from malicious downloads and malicious activity.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement utilizes the tools such as network intrusion prevent systems to identify, scan and block malicious email attachments that can be clicked on by users in their emails. Also, anti-virus can be used to quarantine suspicious files.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1221 | Template Injection |
Comments
Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads that adversaries can steal in document templates.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1566 | Phishing |
Comments
This diagnostic statement utilizes the tools such as network intrusion prevent systems to identify, scan and block malicious email or links that can be clicked on by users in their emails. Also, anti-virus can be used to quarantine suspicious files.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some activity at the network level, specifically adversaries known to steal data and/or encrypt or obfuscate alternate channels.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1573.002 | Asymmetric Cryptography |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some activity at the network level, specifically adversaries known to conceal C2 traffic with asymmetric encryption algorithms.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1573.001 | Symmetric Cryptography |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some activity at the network level, specifically adversaries known to conceal C2 traffic with symmetric encryption algorithms.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1573 | Encrypted Channel |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation (command and control traffic) activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1568.002 | Domain Generation Algorithms |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation (command and control) activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1568 | Dynamic Resolution |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation (command and control) activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1030 | Data Transfer Size Limits |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1001.003 | Protocol or Service Impersonation |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1001.002 | Steganography |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1001.001 | Junk Data |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1001 | Data Obfuscation |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation command and control activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1132.002 | Non-Standard Encoding |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1132.001 | Standard Encoding |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1132 | Data Encoding |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1071.005 | Publish/Subscribe Protocols |
Comments
This diagnostic statement protects against adversaries that may try to utilize different protocols to abuse packets produced from these protocols. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1071.004 | DNS |
Comments
This diagnostic statement protects against adversaries that may try to utilize DNS protocol to abuse packets produced from these protocols. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1071.003 | Mail Protocols |
Comments
This diagnostic statement protects against adversaries that may try to utilize different protocols, such as SMPT/S, POP3/S and IMAP, to abuse packets produced from these protocols. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1071.002 | File Transfer Protocols |
Comments
This diagnostic statement protects against adversaries that may try to utilize different protocols, such as SMB, FTP, FTPS, and TFPT, to abuse packets produced from these protocols. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1071.001 | Web Protocols |
Comments
This diagnostic statement protects against adversaries that may try to utilize different protocols, such as HTTPS and web socket, to blend in with existing traffic. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1071 | Application Layer Protocol |
Comments
This diagnostic statement protects against adversaries that may try to utilize different protocols, such as web browsing, transferring files, email, from attacking at the OSI level. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1557.004 | Evil Twin |
Comments
Implementing methods similar to Wireless Intrusion prevention systems (WIPS) can identify and prevent adversary in the middle activity
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1557.003 | DHCP Spoofing |
Comments
The use of network intrusion detection and prevention systems can identify and possibly bock traffic patterns, indicative of AiTM activity. If so, these patterns can be mitigated at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1557.002 | ARP Cache Poisoning |
Comments
The use of network intrusion detection and prevention systems can identify and possibly bock traffic patterns, indicative of AiTM activity. If so, these patterns can be mitigated at the network level, enabling to block adversaries from poisoning ARP caches.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Comments
The use of network intrusion detection and prevention systems can identify and possibly bock traffic patterns, indicative of AiTM activity. If so, these patterns can be mitigated at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
The use of network intrusion detection and prevention systems can identify and possibly bock traffic patterns, indicative of AiTM activity. If so, these patterns can be mitigated at the network level.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1036.008 | Masquerade File Type |
Comments
Implementing methods similar to Host Intrusion prevention (HIPS) can identify and prevent execution of malicious files and its metadata manipulated by adversaries.
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1036 | Masquerading |
Comments
Implementing methods similar to Host Intrusion prevention (HIPS) can identify and prevent execution of malicious files and its metadata manipulated by adversaries.
|
| DE.CM-01.02 | Network traffic volume monitoring | Mitigates | T1498.002 | Reflection Amplification |
Comments
This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that induces a reflection attack by sending packets to reflectors with the spoofed address of the victim. Filtering boundary traffic can be used to intercept incoming traffic and filtering out the attack traffic from the original traffic.
|
| DE.CM-01.02 | Network traffic volume monitoring | Mitigates | T1498.001 | Direct Network Flood |
Comments
This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that target networks that send a high volume of network traffic to a target. Filtering boundary traffic can be used to intercept incoming traffic and filtering out the attack traffic from the original traffic.
|
| DE.CM-01.02 | Network traffic volume monitoring | Mitigates | T1498 | Network Denial of Service |
Comments
This diagnostic statement may block Network Denial of Service (DoS) attacks from occurring by adversaries that target resources to users via websites, email services, DNS, and web-based applications. Filtering boundary traffic can be used to intercept incoming traffic and filtering out the attack traffic from the original traffic.
|
| DE.CM-01.02 | Network traffic volume monitoring | Mitigates | T1499.004 | Application or System Exploitation |
Comments
This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that exploit software vulnerabilities that can cause crashing of a system or application. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport.
|
| DE.CM-01.02 | Network traffic volume monitoring | Mitigates | T1499.003 | Application Exhaustion Flood |
Comments
This diagnostic statement may block Denial of Service (DoS) attacks from occurring by adversaries that target application features. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport.
|
| DE.CM-01.02 | Network traffic volume monitoring | Mitigates | T1499.002 | Service Exhaustion Flood |
Comments
This diagnostic statement may block Endpoint Denial of Service (DoS) attacks from occurring from adversaries that target DNS and web services. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport.
|
| DE.CM-01.02 | Network traffic volume monitoring | Mitigates | T1499.001 | OS Exhaustion Flood |
Comments
This diagnostic statement may block Endpoint Denial of Service (DoS) attacks from occurring by adversaries that target endpoint's operating system (OS). Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport.
|
| DE.CM-01.02 | Network traffic volume monitoring | Mitigates | T1499 | Endpoint Denial of Service |
Comments
This diagnostic statement may block Endpoint Denial of Service (DoS) attacks from occurring via websites, email services, and web-based applications. Filtering boundary traffic can be used to block source addresses and block ports that are being targeted. It also blocks protocols being used for transport.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1550.002 | Pass the Hash |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. An example of this for Pass the Hash is to update software by applying patch KB2871997 to Windows 7 and higher systems, limiting the default access of accounts in the local administrator group.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1552.006 | Group Policy Preferences |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. An example of this for Group Policy Preferences (GPPs) is to update software by applying patch KB2962486 which prevents credentials from being stored in group policy preferences.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Regularly updating web browsers, password managers, and related software to the latest versions reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or steal web session cookies.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching software deployment tools and systems regularly helps prevent potential remote access through Exploitation for Privilege Escalation.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching the BIOS and EFI as necessary helps to prevent adversaries from modifying system firmware.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching the BIOS and EFI as necessary helps prevent adversaries from abusing Pre-OS Boot mechanisms.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1137.005 | Outlook Rules |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. An example of this is installing patches Microsoft has released to help to address abuse of Microsoft Outlook rules.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1137.004 | Outlook Home Page |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, exploitation via Outlook Home Page can be prevented by applying Microsoft KB4011162 to systems, which removes the legacy Home Page feature.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1137.003 | Outlook Forms |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, exploitation via Outlook Forms can be mitigated by applying Microsoft KB4011091 which disables custom forms by default.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1137 | Office Application Startup |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, Microsoft has released several patches to help address leveraging of Microsoft Office-based applications for persistence between startups.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1574.002 | DLL Side-Loading |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, applying patches that fix DLL side-loading vulnerabilities mitigates the execution of malicious payloads by side-loading DLLs.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly to include patches that fix DLL side-loading vulnerabilities can help mitigate execution of malicious payloads by hijacking execution flow.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, patching the BIOS and other firmware can help prevent adversaries from overwriting or corrupting firmware.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1546.011 | Application Shimming |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, to prevent use of application shimming to bypass UAC, Microsoft released patch KB3045645 that will remove the "auto-elevate" flag within the sdbinst.exe.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1546.010 | AppInit DLLs |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, upgrading to Windows 8 or later and enabling secure boot can help prevent execution of malicious content via AppInit DLLs.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1546 | Event Triggered Execution |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, performing regular software updates can mitigate potential event triggered execution exploitation risks.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1189 | Drive-by Compromise |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, ensure all browsers and plugins are kept updated to help prevent the exploit phase of Drive-by Compromise.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated and migrating to SNMPv3 can help prevent adversary access of network configuration files.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated and migrating to SNMPv3 can help prevent adversaries from collecting MIB content directly from SNMP-managed devices.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated can help prevent adversaries from collecting data related to managed devices from configuration repositories.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, regularly updating web browsers, password managers, and related software reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1555.003 | Credentials from Web Browsers |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, regularly updating web browsers, password managers, and related software reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1555 | Credentials from Password Stores |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, performing regular software updates mitigates adversary exploitation of password storage locations to obtain user credentials.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1176 | Browser Extensions |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, ensuring operating systems and browsers are using the most current version helps prevent adversaries from abusing Internet browser extensions or plugins.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1548.002 | Bypass User Account Control |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating Windows to the latest version and patch level provides the latest protective measures against UAC bypass.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, performing regular software updates is recommended to help mitigate exploitation risk via abuse of elevation control mechanisms.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1195 | Supply Chain Compromise |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can mitigate exploitation of remote services.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of a system or application vulnerability to bypass security features.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of a weakness in an Internet-facing host or system to initially access a network.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of software vulnerabilities to elevate privileges.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1212 | Exploitation for Credential Access |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of software vulnerabilities to collect credentials.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1098.004 | SSH Authorized Keys |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the SSH Authorized Keys technique, restricting user and application access to the authorized_keys file can be a mitigating factor for adversaries attempting to modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the Unsecured Credentials technique, best practice dictates that when possible, store keys on separate cryptographic hardware instead of on the local system to mitigate data theft of credentials stored in unsecure locations.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1563.001 | SSH Hijacking |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the SSH Hijacking technique, consider that SSH key pairs possess strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1552.004 | Private Keys |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standard as it applies to the Private Keys technique, when possible, consider storing keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1558.004 | AS-REP Roasting |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets through AS-REP Roasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with kerberoasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with silver tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1649 | Steal or Forge Authentication Certificates |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of authentication certificates, ensure certificates as well as associated private keys are appropriately secured.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1040 | Network Sniffing |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of network sniffing, ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1070.002 | Clear Linux or Mac System Logs |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the removal of Linux or Mac System Logs, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to windows event logs removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1070 | Indicator Removal |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to indicator removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1114.001 | Local Email Collection |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1114.002 | Remote Email Collection |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to transmitted data manipulation, encrypt all important data flows to reduce the impact of tailored modifications on data in transit.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1565.001 | Stored Data Manipulation |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to stored data manipulation, consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1565 | Data Manipulation |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to data manipulation, consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to data from information repositories, encrypt data stored at rest in databases.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of Network Device Configuration Dump, configure SNMPv3 to use the highest level of security (authPriv) available.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of SNMP (MIB Dump), configure SNMPv3 to use the highest level of security (authPriv) available.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of data collection from configuration repository, configure SNMPv3 to use the highest level of security (authPriv) available.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address data collection from cloud storage, encrypt data stored at rest in cloud storage. Managed encryption keys can be rotated by most providers. At a minimum, ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1659 | Content Injection |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Content Injection threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1020.001 | Traffic Duplication |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Automated Exfiltration: Traffic Duplication threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1557.002 | ARP Cache Poisoning |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address ARP Cache Poisoning, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address adversary-in-the-middle threats, the organization ensures that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1195 | Supply Chain Compromise |
Comments
This diagnostic statement provides protection from Supply Chain Compromise through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Ensuring software management security standards can help protect against adversaries attempting to compromise the supply chain.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides protection from Subvert Trust Controls through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to subvert trust controls.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1553.006 | Code Signing Policy Modification |
Comments
This diagnostic statement provides protection from Code Signing Policy Modification through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement provides protection from Pre-OS Boot through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software/firmware and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement provides protection from System Firmware through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify firmware and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1542.003 | Bootkit |
Comments
This diagnostic statement provides protection from Bootkit through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1542.004 | ROMMONkit |
Comments
This diagnostic statement provides protection from ROMMONkit through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement provides protection from TFTP Boot through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement provides protection from Modify System Image through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify the system image.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1601.001 | Patch System Image |
Comments
This diagnostic statement provides protection from Patch System Image through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify the system image
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1601.002 | Downgrade System Image |
Comments
This diagnostic statement provides protection from Downgrade System Image through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify the system image.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement provides protection from Firmware Corruption through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify firmware and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1204 | User Execution |
Comments
This diagnostic statement provides protection from User Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to execute malicious unsigned code.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1204.003 | Malicious Image |
Comments
This diagnostic statement provides protection from User Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to execute malicious unsigned code.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1127 | Trusted Developer Utilities Proxy Execution |
Comments
This diagnostic statement provides protection from Trusted Developer Utilities Proxy Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1127.002 | ClickOnce |
Comments
This diagnostic statement provides protection from Trusted Developer Utilities Proxy Execution: ClickOnce through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1505 | Server Software Component |
Comments
This diagnostic statement provides protection from Server Software Component through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1505.001 | SQL Stored Procedures |
Comments
This diagnostic statement provides protection from SQL Stored Procedures through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1505.002 | Transport Agent |
Comments
This diagnostic statement provides protection from Transport Agent through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1505.004 | IIS Components |
Comments
This diagnostic statement provides protection from IIS Components through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1036 | Masquerading |
Comments
This diagnostic statement provides protection from Masquerading through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1036.001 | Invalid Code Signature |
Comments
This diagnostic statement provides protection from Masquerading: Invalid Code Signature through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1036.005 | Match Legitimate Name or Location |
Comments
This diagnostic statement provides protection from Masquerading: Match Legitimate Name or Location through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1525 | Implant Internal Image |
Comments
This diagnostic statement provides protection from Implant Internal Image through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1546 | Event Triggered Execution |
Comments
This diagnostic statement provides protection from Event Triggered Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1546.006 | LC_LOAD_DYLIB Addition |
Comments
This diagnostic statement provides protection from Event Triggered Execution: LC_LOAD_DYLIB Addition through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1546.013 | PowerShell Profile |
Comments
This diagnostic statement provides protection from Powershell Profile through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement provides protection from Create or Modify System Process through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1543.003 | Windows Service |
Comments
This diagnostic statement provides protection from Create or Modify System Process: Windows Service through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1554 | Compromise Host Software Binary |
Comments
This diagnostic statement provides protection from Compromise Host Software Binary the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement provides protection from Command and Scripting Interpreter through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining along with disallowing scripts and integrity checking can help protect against adversaries that may abuse command and script interpreters.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement provides protection from Command and Scripting Interpreter through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining along with disallowing scripts and integrity checking can help protect against adversaries that may abuse command and script interpreters.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1059.002 | AppleScript |
Comments
This diagnostic statement provides protection from Command and Scripting Interpreter through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining along with disallowing scripts and integrity checking can help protect against adversaries that may abuse command and script interpreters.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1550.004 | Web Session Cookie |
Comments
This diagnostic statement provides protection from Web Session Cookie through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Baseline security configuration including the automated deletion of cookies can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1535 | Unused/Unsupported Cloud Regions |
Comments
This diagnostic statement provides protection from Unused/Unsupported Cloud Regions through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement provides protection from Transfer Data to Cloud through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that enforce data sharing restrictions to the cloud and integrity checking can help protect against adversaries attempting to transfer data to a cloud account.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1553.004 | Install Root Certificate |
Comments
This diagnostic statement provides protection from Subvert Trust Controls: Install Root Certificate through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration including Windows Group Policy or Key Pinning and integrity checking can help protect against adversaries attempting to compromise and modify certificate configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement provides protection from Steal Web Session Cookie through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Baseline security configuration including the automated deletion of cookies can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1598 | Phishing for Information |
Comments
This diagnostic statement provides protection from Phishing for Information through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, encryption of credential data, and integrity checking can help protect against adversaries attempting to gather information.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1598.002 | Spearphishing Attachment |
Comments
This diagnostic statement provides protection from Phishing for Information: Spearphishing Attachment through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, external email tracking, encryption of credential data, and integrity checking can help protect against adversaries attempting to gather information.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1598.003 | Spearphishing Link |
Comments
This diagnostic statement provides protection from Phishing for Information: Spearphishing Link through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, web filtering, encryption of credential data, and integrity checking can help protect against adversaries attempting to gather information.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1566 | Phishing |
Comments
This diagnostic statement provides protection from Phishing through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, blocking of non-essential sites or attachment types, encryption of credential data, and integrity checking can help protect against adversaries attempting to access systems.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1566.002 | Spearphishing Link |
Comments
This diagnostic statement provides protection from Phishing through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, blocking of non-essential sites or attachment types, encryption of credential data, and integrity checking can help protect against adversaries attempting to access systems
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1137 | Office Application Startup |
Comments
This diagnostic statement provides protection from Office Application Startup through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of Office software and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1137.002 | Office Test |
Comments
This diagnostic statement provides protection from Office Test through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1666 | Modify Cloud Resource Hierarchy |
Comments
This diagnostic statement provides protection from Modify Cloud Resource Hierarchy through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations for Cloud platforms and integrity checking can help protect against adversaries attempting to compromise and modify cloud configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1559 | Inter-Process Communication |
Comments
This diagnostic statement provides protection from Inter-Process Communication through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1559.002 | Dynamic Data Exchange |
Comments
This diagnostic statement provides protection from Inter-Process Communication: Dynamic Data Exchange through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement provides protection from Impair Defenses through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1562.006 | Indicator Blocking |
Comments
This diagnostic statement provides protection from Impair Defenses: Indicator Blocking through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1562.009 | Safe Mode Boot |
Comments
This diagnostic statement provides protection from Impair Defenses: Safe Mode Boot through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1562.010 | Downgrade Attack |
Comments
This diagnostic statement provides protection from Impair Defenses: Downgrade Attack through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1590.002 | DNS |
Comments
This diagnostic statement provides protection from Gather Victim Information: DNS through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration including secure policies for DNS servers including Zone Transfer Policies and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1606 | Forge Web Credentials |
Comments
This diagnostic statement provides protection from Forge Web Credentials through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1606.001 | Web Cookies |
Comments
This diagnostic statement provides protection from Web Cookies through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Baseline security configuration including the automated deletion of cookies can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement provides protection from Data from Information Repositories through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include data retention policies to periodically archive and/or delete data and integrity checking can help protect against adversaries attempting to leverage information repositories.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1213.004 | Customer Relationship Management Software |
Comments
This diagnostic statement provides protection from Data from Information Repositories: Customer Relationship Management Software through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include data retention policies to periodically archive and/or delete data and integrity checking can help protect against adversaries attempting to leverage information repositories.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement provides protection from Data from Information Repositories: Data from Configuration Repository through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include data retention policies to periodically archive and/or delete data and integrity checking can help protect against adversaries attempting to leverage information repositories.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides protection from Data from Configuration Repository: SNMP (MIB Dump) through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include allowlist MIB objects and implement SNMP Views can help protect against adversaries attempting to leverage information repositories.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides protection from Data from Configuration Repository: Network Device Configuration Dump through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include allowlist MIB objects and implement SNMP Views, and keeping system images and software up to date can help protect against adversaries attempting to leverage information repositories.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement provides protection from Credentials from Password Stores: Password Managers through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configurations that include secure password storage policies, and keeping system images and software up to date can help protect against adversaries attempting to leverage information repositories.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1543.005 | Container Service |
Comments
This diagnostic statement provides protection from Create or Modify System Process: Container Service through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement provides protection from Abuse Elevation Control Mechanism through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1548.003 | Sudo and Sudo Caching |
Comments
This diagnostic statement provides protection from Abuse Elevation Control Mechanism: Sudo and Sudo Caching through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuraiton of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1548.002 | Bypass User Account Control |
Comments
This diagnostic statement provides protection from Abuse Elevation Control Mechanism: Bypass User Account Control through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1548.001 | Setuid and Setgid |
Comments
This diagnostic statement provides protection from Abuse Elevation Control Mechanism: Setuid and Setgid through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1087 | Account Discovery |
Comments
This diagnostic statement provides protection from Account Discovery through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1087.001 | Local Account |
Comments
This diagnostic statement provides protection from Account Discovery: Local Account through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1087.002 | Domain Account |
Comments
This diagnostic statement provides protection from Account Discovery: Domain Account through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement provides protection from Account Manipulation through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1197 | BITS Jobs |
Comments
This diagnostic statement provides protection from BITS Jobs through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1092 | Communication Through Removable Media |
Comments
This diagnostic statement provides protection from Communication Through Removable Media through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement provides protection from Create Account through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement provides protection from Create Account: Domain Account through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1546.008 | Accessibility Features |
Comments
This diagnostic statement provides protection from Accessibility Features through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1011 | Exfiltration Over Other Network Medium |
Comments
This diagnostic statement provides protection from Exfiltration Over Other Network Medium through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1011.001 | Exfiltration Over Bluetooth |
Comments
This diagnostic statement provides protection from Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1564 | Hide Artifacts |
Comments
This diagnostic statement provides protection from Hide Artifacts through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1564.002 | Hidden Users |
Comments
This diagnostic statement provides protection from Hide Artifacts: Hidden Users through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement provides protection from Hijack Execution Flow through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1574.006 | Dynamic Linker Hijacking |
Comments
This diagnostic statement provides protection from Hijack Execution Flow: Dynamic Linker Hijacking through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1562.003 | Impair Command History Logging |
Comments
This diagnostic statement provides protection from Impair Defenses: Impair Command History Logging through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement provides protection from Inhibit System Recovery through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1036.007 | Double File Extension |
Comments
This diagnostic statement provides protection from Masquerading: Double File Extension through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement provides protection from Modify Authentication Process through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System (including only allowing valid DLLs, secure policies) and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1556.002 | Password Filter DLL |
Comments
This diagnostic statement provides protection from Modify Authentication Process: Password Filter DLL through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System (including only allowing valid DLLs, secure policies) and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1556.008 | Network Provider DLL |
Comments
This diagnostic statement provides protection from Modify Authentication Process: Network Provider DLL through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System (including only allowing valid DLLs, secure policies) and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1135 | Network Share Discovery |
Comments
This diagnostic statement provides protection from Network Share Discovery through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement provides protection from OS Credential Dumping through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1003.001 | LSASS Memory |
Comments
This diagnostic statement provides protection from OS Credential Dumping: LSASS Memory through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1003.002 | Security Account Manager |
Comments
This diagnostic statement provides protection from OS Credential Dumping: Security Account Manager through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1003.005 | Cached Domain Credentials |
Comments
This diagnostic statement provides protection from OS Credential Dumping: Cached Domain Credentials through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1563 | Remote Service Session Hijacking |
Comments
This diagnostic statement provides protection from Remote Service Session Hijacking through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement provides protection from Remote Service Session Hijacking: RDP Hijacking through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement provides protection from Remote Services through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement provides protection from Remote Desktop Protocol through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1053 | Scheduled Task/Job |
Comments
This diagnostic statement provides protection from Scheduled Task/Job through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System including running of scheduled tasks as authenticated user instead of SYSTEM and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1053.002 | At |
Comments
This diagnostic statement provides protection from Scheduled Task/Job: At through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System including running of scheduled tasks as authenticated user instead of SYSTEM and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1053.005 | Scheduled Task |
Comments
This diagnostic statement provides protection from Scheduled Task/Job: Scheduled Task through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System including running of scheduled tasks as authenticated user instead of SYSTEM and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides protection from Unsecured Credentials through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1552.003 | Bash History |
Comments
This diagnostic statement provides protection from Unsecured Credentials: Bash History through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and elevate privileges.
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1566.002 | Spearphishing Link |
Comments
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1566.004 | Spearphishing Voice |
Comments
Anti-virus can also automatically quarantine suspicious files sent through messages via services, social media , personal webmail, etc.
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1566.003 | Spearphishing via Service |
Comments
Anti-virus can also automatically quarantine suspicious files sent through messages via services, social media , personal webmail, etc.
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1071.003 | Mail Protocols |
Comments
Network intrusion prevention techniques can be utilized to detect traffic for specific adversary malware, in hopes of being mitigated at the network level.
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1598.003 | Spearphishing Link |
Comments
Certain software configuration techniques can be utilized to detect and isolate spearphishing messages found with malicious attachments. Email authentication mechanisms allow malicious links to be filtered, detected and blocked, enabling users not to
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1598 | Phishing for Information |
Comments
Certain software configuration techniques can be utilized to detect and isolate spearphishing messages found with malicious attachments.
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1566 | Phishing |
Comments
Network intrusion prevention techniques can be utilized to remove malicious email attachment or link to prevent/block activity where phishing messages can be sent to users.
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
Network intrusion prevention techniques can be utilized to remove malicious email attachment or link to prevent/block activity where phishing messages can be sent to users.
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1204.002 | Malicious File |
Comments
Tools that detect and block and remove malware provide protection from users deceived into opening malicious attachments or files that can be found in emails (spearphishing).
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1204.001 | Malicious Link |
Comments
Tools that detect and block and remove malware provide protection from users deceived into opening malicious documents, clicking on phishing links, or executing downloaded malware.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1176 | Browser Extensions |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring operating systems and software are using the most current version can mitigate risks of exploitation and/or abuse.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1137.004 | Outlook Home Page |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Apply vendor security updates to mitigate risks of exploitation and/or abuse of Office mechanisms that can be used for persistence when an Office-based application is started.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1212 | Exploitation for Credential Access |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1195 | Supply Chain Compromise |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools can mitigate Supply Chain Compromise.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools can mitigate Supply Chain Compromise.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools can mitigate Supply Chain Compromise.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1189 | Drive-by Compromise |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1203 | Exploitation for Client Execution |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1212 | Exploitation for Credential Access |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1210 | Exploitation of Remote Services |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1559 | Inter-Process Communication |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1559.001 | Component Object Model |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1559.002 | Dynamic Data Exchange |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.011 | Extra Window Memory Injection |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1021 | Remote Services |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1021.003 | Distributed Component Object Model |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1548.004 | Elevated Execution with Prompt |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1059.001 | PowerShell |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1059.002 | AppleScript |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1059.005 | Visual Basic |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1059.006 | Python |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1059.007 | JavaScript |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1036 | Masquerading |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1036.005 | Match Legitimate Name or Location |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1036.008 | Masquerade File Type |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1137 | Office Application Startup |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1218.001 | Compiled HTML File |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1218.002 | Control Panel |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1218.003 | CMSTP |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1218.004 | InstallUtil |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1218.005 | Mshta |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1218.008 | Odbcconf |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1218.009 | Regsvcs/Regasm |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1218.012 | Verclsid |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1218.013 | Mavinject |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1218.014 | MMC |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1218.015 | Electron Applications |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1047 | Windows Management Instrumentation |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1127.002 | ClickOnce |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1036.001 | Invalid Code Signature |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1098.006 | Additional Container Cluster Roles |
Comments
This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to manipulate accounts.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1098.005 | Device Registration |
Comments
This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to register devices.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to manipulate accounts.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1098.002 | Additional Email Delegate Permissions |
Comments
This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to add permissions to accounts.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to manipulate accounts.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to manipulate accounts.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1110.004 | Credential Stuffing |
Comments
This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to brute force credentials.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1110.003 | Password Spraying |
Comments
This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to brute force credentials.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1110.002 | Password Cracking |
Comments
This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to brute force credentials.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1110.001 | Password Guessing |
Comments
This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing strong encryption keys and limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to guess credentials.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1110 | Brute Force |
Comments
This diagnostic statement protects against Brute Force through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to brute force credentials.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement protects against Create Account through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to create accounts.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1485 | Data Destruction |
Comments
This diagnostic statement protects against Data Destruction through the use of revocation of keys and key management used in multi-factor authentication. Employing key protection strategies, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to destroy data.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement protects against Data from Cloud Storage through the use of revocation of keys and key management used in multi-factor authentication. Employing key protection strategies, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to access data from cloud storage.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1213.003 | Code Repositories |
Comments
This diagnostic statement protects against Code Repositories through the use of revocation of keys and key management. Employing key protection strategies such as removing keys from code repositories, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from code repositories.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement protects against Code Repositories through the use of revocation of keys and key management. Employing key protection strategies such as removing keys from information repositories, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from code repositories.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1114.002 | Remote Email Collection |
Comments
This diagnostic statement protects against Email Collection through the use of revocation of keys and key management. Employing key protection strategies such as ensuring proper encryption methods and key management for those used in email along with policies for sending cryptographic material over email, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from emails.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement protects against Email Collection through the use of revocation of keys and key management. Employing key protection strategies such as ensuring proper encryption methods and key management for those used in email along with policies for sending cryptographic material over email, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to glean credentials from emails.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of revocation of keys and key management. Employing key protection strategies and key management for those used in external remote services, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to access external remote services.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use hybrid identities.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1556.006 | Multi-Factor Authentication |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes (including multi-factor authentication or MFA), limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to bypass or generate MFA requests.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch network device authentication processes in those system images.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1556.003 | Pluggable Authentication Modules |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in PAM modules and its authentication process, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify the PAM processes.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify domain controller authentication mechanisms.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify authentication processes.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1601.002 | Downgrade System Image |
Comments
This diagnostic statement protects against Downgrade System Image through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch system images.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1601.001 | Patch System Image |
Comments
This diagnostic statement protects against Patch System Image through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch system images.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement protects against Modify System Image through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in managing and signing images, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to modify or patch system images.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1621 | Multi-Factor Authentication Request Generation |
Comments
This diagnostic statement protects against Multi-Factor Authentication Request Generation through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes (including multi-factor authentication or MFA), limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to bypass or generate MFA requests.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement protects against Network Address Translation Traversal through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes (including multi-factor authentication or MFA for network devices using TACACS+/RADIUS), limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to perform Network Address Translation Traversal.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1599 | Network Boundary Bridging |
Comments
This diagnostic statement protects against Network Boundary Bridging through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes (including multi-factor authentication or MFA for network devices using TACACS+/RADIUS), limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to perform Network Boundary Bridging.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1040 | Network Sniffing |
Comments
This diagnostic statement protects against Network Sniffing through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes transmitted over networks, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use network sniffing.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1021.007 | Cloud Services |
Comments
This diagnostic statement protects against Remote Services: Cloud Services through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes in cloud services, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use cloud services.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1021.004 | SSH |
Comments
This diagnostic statement protects against Remote Services: SSH through the use of revocation of keys and key management. Employing key protection strategies for key material used in SSH, limitations to specific accounts along with access control mechanisms limits adversaries attempting to use valid accounts on SSH.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement protects against Remote Services: Remote Desktop Protocol (RDP) through the use of revocation of keys and key management. Employing key protection strategies such as multi-factor authentication for key material used in authentication for RDP, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts over RDP.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement protects against Remote Services through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes transmitted over networks, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to misuse remote services.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement protects against Software Deployment Tools through the use of revocation of keys and key management. Employing key protection strategies for key material used in software deployment tools including signing, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to misuse software deployment tools.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement protects against Steal Web Session Cookie through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multifactor authentication in authentication processes for web applications using cookies, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to steal session cookies.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement protects against Trusted Relationship through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes for trusted entities, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to abuse trusted relationships.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1078.004 | Cloud Accounts |
Comments
This diagnostic statement protects against Valid Accounts: Cloud Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement protects against Valid Accounts: Local Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1078.002 | Domain Accounts |
Comments
This diagnostic statement protects against Valid Accounts: Domain Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement protects against Valid Accounts through the use of revocation of keys and key management. Employing key protection strategies for key material used as part of multi-factor authentication for valid accounts, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use valid accounts.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1557.002 | ARP Cache Poisoning |
Comments
This diagnostic statement protects against Adversary-in-the-middle: ARP Cache Poisoning through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against adversary-in-the-middle.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement protects against Adversary-in-the-middle through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against adversary-in-the-middle
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1119 | Automated Collection |
Comments
This diagnostic statement protects against Adversary-in-the-middle: ARP Cache Poisoning through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against adversary-in-the-middle
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1020.001 | Traffic Duplication |
Comments
This diagnostic statement protects against Automated Exfiltration: Traffic Duplication through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against traffic duplication.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1020 | Automated Exfiltration |
Comments
This diagnostic statement protects against Automated Exfiltration through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against automated exfiltration.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1659 | Content Injection |
Comments
This diagnostic statement protects against Content Injection through the use of revocation of keys and key management. Employing key protection strategies for key material used in virtual private networks, identity management, and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against content injection.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement protects against Data from Configuration Repository: Network Device Configuration Dump through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against network device configuration dump.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement protects against Data from Configuration Repository: SNMP (MIB Dump) through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against MIB Dump.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement protects against Data from Configuration Repository through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes over networks, limitations to specific accounts along with access control mechanisms provides protection against data from configuration repository.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement protects against Transmitted Data Manipulation through the use of revocation of keys and key management. Employing key protection strategies for key material used in sensitive information transmitted over networks, limitations to specific accounts along with access control mechanisms provides protection against transmitted data manipulation by adversaries.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1565.001 | Stored Data Manipulation |
Comments
This diagnostic statement protects against Stored Data Manipulation through the use of revocation of keys and key management. Employing key protection strategies for key material used for storage of sensitive information, limitations to specific accounts along with access control mechanisms provides protection against stored data manipulation by adversaries.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1565 | Data Manipulation |
Comments
This diagnostic statement protects against Data Manipulation through the use of revocation of keys and key management. Employing key protection strategies for key material used for storage and transmission of sensitive information over networks, limitations to specific accounts along with access control mechanisms provides protection against data manipulation by adversaries.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1114.003 | Email Forwarding Rule |
Comments
This diagnostic statement protects against Email Forwarding Rule through the use of key management. Employing key protection strategies for key material used in protection of emails, limitations to specific accounts along with access control mechanisms provides protection against adversaries abusing email forwarding rule.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1114.001 | Local Email Collection |
Comments
This diagnostic statement protects against Local Email Collection through the use of key management. Employing key protection strategies for key material used in protection of emails, limitations to specific accounts along with access control mechanisms provides protection against adversaries abusing local email collection.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1070.002 | Clear Linux or Mac System Logs |
Comments
This diagnostic statement protects against Clear Linux or Mac System Logs through the use of key management. Employing key protection strategies for key material used in protection of event logs, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to clear system logs.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement protects against Clear Windows Event Logs through the use of key management. Employing key protection strategies for key material used in protection of event logs, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to clear system logs.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1070 | Indicator Removal |
Comments
This diagnostic statement protects against Indicator Removal through the use of key management. Employing key protection strategies for key material used in protection of indicators, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to remove indicators of compromise.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects against OS Credential Dumping: NTDS through the use of revocation of keys and key management. Employing key protection strategies for key material used in protection of domain controller backups, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to obtain credentials from NTDS backups.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects against OS Credential Dumping through the use of revocation of keys and key management. Employing key protection strategies for key material used in protection of OS credential backups, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to obtain credentials from OS credential backups.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1649 | Steal or Forge Authentication Certificates |
Comments
This diagnostic statement protects against Steal or Forge Authentication Certificates through the use of revocation of keys and key management. Employing certificate protection strategies such as storing in a Hardware Security Module like a TPM and checking certificate validity for those used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge authentication certificates.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1558.004 | AS-REP Roasting |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets: AS-REP Roasting through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to perform AS-REP Roasting.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets: Kerberoasting through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to perform Kerbeoasting.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets: Silver Ticket through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, especially for known services such as MSSQL etc., limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge kerberos tickets.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, especially for Kerberos authentication process, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge kerberos tickets.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1552.004 | Private Keys |
Comments
This diagnostic statement protects against Unsecured Credentials: Private Keys through the use of revocation of keys and key management. Employing key protection strategies for key material such as private keys used in protecting credentials, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise credentials.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of revocation of keys and key management. Employing key protection strategies for key material such as private keys, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise credentials.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement protects against Application Access Token through the use of revocation of keys and key management. Employing key protection strategies for key material such as those used in generation or protection of application access tokens, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise application access tokens.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement protects against Use Alternate Authentication Material through the use of revocation of keys and key management. Employing key protection strategies for key material used for identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to use alternate authentication material.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1547 | Boot or Logon Autostart Execution |
Comments
This diagnostic statement protects against Boot or Logon Autostart Execution through the use of revocation of keys and key management. Employing key protection strategies for key material used for protecting integrity of boot firmware, system images, and using Hardware Security Modules such as TPMs to store those keys, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to compromise boot or logon autostart execution.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1547.008 | LSASS Driver |
Comments
This diagnostic statement protects against Boot or Logon Autostart Execution: LSASS Driver through the use of revocation of keys and key management. Employing key protection strategies for key material used for protecting integrity of boot firmware, system images, and using Hardware Security Modules such as TPMs to store those keys, along with use of Credential Guard provides protection against adversaries trying to compromise boot or logon autostart execution.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1003.001 | LSASS Memory |
Comments
This diagnostic statement protects against OS Credential Dumping: LSASS Memory through the use of revocation of keys and key management. Employing key protection strategies for key material used for protecting integrity of boot firmware, system images, and using Hardware Security Modules such as TPMs to store those keys, along with use of Credential Guard provides protection against adversaries trying to perform OS Credential dumping of LSASS memory.
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1558.005 | Ccache Files |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets: Ccache Files through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge kerberos tickets.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may transfer tools, payloads, or other malware between systems in a compromised environment, such as between a VM and host system. Hypervisor hardening may help in monitoring and restricting unexpected network share access, such as files transferred between shares within a network using protocols such as SMB by virtualized technologies.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1570 | Lateral Tool Transfer |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may transfer tools, payloads, or other malware between systems in a compromised environment, such as between a VM and host system. Hypervisor hardening may help in monitoring and restricting unexpected network share access, such as files transferred between shares within a network using protocols such as SMB by virtualized technologies.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1213 | Data from Information Repositories |
Comments
The diagnostic statement outlines several mechanisms that organizations can use to protect endpoint systems with virtualization technologies, focusing primarily on hypervisor hardening. By implementing hypervisor hardening measures—such as requiring multi-factor authentication to restrict access to resources and information stored in the cloud from various virtual machines, organizations may help prevent data leakage caused by adversaries exploiting VM instances.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1098 | Account Manipulation |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. Use multi-factor authentication for user and privileged accounts running virtual machines.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1129 | Shared Modules |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1567 | Exfiltration Over Web Service |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1204 | User Execution |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1525 | Implant Internal Image |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Periodically baselining virtual machine images to identify malicious modifications or additions may aid in mitigating this technique and with mitigating interactions with images that are modified anomalously.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1080 | Taint Shared Content |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may deliver payloads to host systems by adding content to shared storage and file locations, such as a shared directory between the host and virtual machine. Hypervisor hardening can restrict or limit the ability to of the virtualized machine to taint shared content, making it harder for attackers to manipulate shared content.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1552.001 | Credentials In Files |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may search host shared directories/filed between a VM and host device to find files of interest, specifically credentials in files. Hypervisor hardening can restrict or limit the ability to access files containing insecurely stored credentials between the virtualized machine and host system, making it harder for attackers to collect data from host shared files.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1039 | Data from Network Shared Drive |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may search host shared directories between a VM and host device to find files of interest. Hypervisor hardening can restrict or limit the ability to share files between the virtualized machine and host system, making it harder for attackers to collect data from host shared directories.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1562 | Impair Defenses |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. Hypervisor hardening can limit the ability of virtual machines to disable or modify security tools or configurations within the host system, making it harder for attackers to evade detection.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578 | Modify Cloud Compute Infrastructure |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. The creation of a new instance or VM is a common part of operations within many cloud environments. Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1210 | Exploitation of Remote Services |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of unpatched vulnerabilities of your virtualized technologies.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of unpatched vulnerabilities of your virtualized technologies.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of unpatched vulnerabilities of your virtualized technologies.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1212 | Exploitation for Credential Access |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of unpatched vulnerabilities of your virtualized technologies.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1203 | Exploitation for Client Execution |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of unpatched vulnerabilities of your virtualized technologies.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of unpatched vulnerabilities of your virtualized technologies. Application isolation will limit what other processes and system features the exploited target can access, thus aiding with mitigations related to exploiting public facing applications.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1611 | Escape to Host |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. For the Escape to Host technique, Consider utilizing seccomp, seccomp-bpf, or a similar solution that restricts certain system calls such as mount. In Kubernetes environments, consider defining Pod Security Standards that limit container access to host process namespaces, the host network, and the host file system.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1189 | Drive-by Compromise |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to the Drive-By-Compromise, browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. Other types of virtualization and application micro-segmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist for these types of systems.
|
| PR.PS-01.04 | Time services and synchronization | Mitigates | T1498.002 | Reflection Amplification |
Comments
NTP amplification is a specialized form of distributed denial-of-service (DDoS) reflection amplification attacks that exploits the Network Time Protocol (NTP) to overwhelm victims with high volumes of traffic. This diagnostic statement describes practice guidance to secure and manage time synchronization infrastructure. To mitigate this technique under best practice guidance, consider patching NTP Software to remove dangerous amplifying commands like monlist; enable authentication for NTP changes to mitigate anonymous abuse; filtering of inbound UDP port 123 prevents reception of NTP; limit access to NTP servers to just authorized hots rather than global organizational access to prevent potential wide-spread abuse of DDoS reflection attacks.
|
| PR.PS-01.04 | Time services and synchronization | Mitigates | T1070.006 | Timestomp |
Comments
The ATT&CK technique T1070.006 involves adversaries modifying file timestamps to evade detection or forensic analysis. The diagnostic statement describes maintaining and securing accurate and synchronized time values across systems. Organizations can mitigate this technique through the use of secure and authenticated time synchronization protocols (e.g., NTP with authentication) to prevent adversaries from tampering with time values of files and artifacts.
|
| PR.PS-01.04 | Time services and synchronization | Mitigates | T1497.003 | Time Based Evasion |
Comments
The diagnostic statement focuses on the importance of maintaining and securing the accurate and synchronized time values across systems. The ATT&CK technique T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion involves adversaries using time-based evasion methods to detect or bypass virtualization or sandbox environments. Organizations can mitigate these methods by ensuring time integrity, accurate time synchronization, and hardening time services across virtualized and sandbox environments.
|
| PR.PS-01.04 | Time services and synchronization | Mitigates | T1547.003 | Time Providers |
Comments
The diagnostic statement focuses on the importance of maintaining accurate and resilient time synchronization across systems. By ensuring that time services are designed with security and reliability in mind, organizations reduce the risk of adversaries tampering with time provider components or disrupting time synchronization processes described in the Boot or Logon Autostart Execution: Time Providers technique.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1484.002 | Trust Modification |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Protect administrative access to domain trusts and identity tenants to mitigate this technique.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1021.003 | Distributed Component Object Model |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via Distributed Component Object Model (DCOM).
|
| PR.AA-05.03 | Service accounts | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1563.001 | SSH Hijacking |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1078.002 | Domain Accounts |
Comments
This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems).
|
| PR.AA-05.03 | Service accounts | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems). Minimize permissions and access for service accounts to mitigate this technique.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1559.001 | Component Object Model |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Set service account access restrictions to grant only the minimum necessary permissions to mitigate abuse of inter-process communication (IPC) mechanisms.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems).
|
| PR.AA-05.03 | Service accounts | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize permissions and access for service accounts to limit impact of exploitation.
|
| PR.AA-05.03 | Service accounts | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems).
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1102.003 | One-Way Communication |
Comments
This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1102.002 | Bidirectional Communication |
Comments
This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1102.001 | Dead Drop Resolver |
Comments
This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1102 | Web Service |
Comments
This diagnostic statement helps mitigate web service techniques through the implementation of tools and measures to detect and block access to unauthorized, inappropriate, or malicious websites and services.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1204.002 | Malicious File |
Comments
This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1204 | User Execution |
Comments
This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement provides for implementing tools and measures for such as allowing/denying types of third-party applications which can help prevent adversary use of alternate authentication material.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1218.001 | Compiled HTML File |
Comments
This diagnostic statement can help prevent adversaries from abusing HTML files by implementing tools and measures to block download/transfer of uncommon file types known to be used in adversary campaigns.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement can help prevent execution of malicious content with signed files or trusted binaries through tools and measures restricting or blocking certain websites, blocking downloads/attachments, and restricting browser extensions.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement provides for implementing tools and measures for web-based content and browser security settings that can help prevent session cookie theft.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1528 | Steal Application Access Token |
Comments
This diagnostic statement provides for implementing tools and measures such as disabling users from authorizing third-party apps and forcing administrative consent for all requests that can help prevent token theft.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1566.003 | Spearphishing via Service |
Comments
This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1566.002 | Spearphishing Link |
Comments
This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1566 | Phishing |
Comments
This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1189 | Drive-by Compromise |
Comments
This diagnostic statement helps mitigate drive-by compromise through the implementation of tools and measures such as adblockers to prevent and block malicious code execution and script blocking extensions to block execution of scripts.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1555.003 | Credentials from Web Browsers |
Comments
This diagnostic statement provides for implementing tools and measures for web-based content and browser security settings that can help prevent session cookie theft.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1659 | Content Injection |
Comments
This diagnostic statement provides for implementing tools and measures such as blocking download/transfer and execution of uncommon file types which can help prevent content injection.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1059.007 | JavaScript |
Comments
This diagnostic statement prevents adversaries from abusing various implementation of JavaScript for execution by blocking the execution of scripts and malicious code that pop up via adblockers and ads.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement prevents adversaries from abusing commands, scripts, or binaries by blocking the execution of scripts and malicious code that pop up via adblockers and ads.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1047 | Windows Management Instrumentation |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1078.004 | Cloud Accounts |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1078.002 | Domain Accounts |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1078.001 | Default Accounts |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1053.007 | Container Orchestration Job |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1053.006 | Systemd Timers |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1053.005 | Scheduled Task |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1053.002 | At |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1053 | Scheduled Task/Job |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1556.005 | Reversible Encryption |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1556.006 | Multi-Factor Authentication |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1606 | Forge Web Credentials |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1543.005 | Container Service |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098.002 | Additional Email Delegate Permissions |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1548.006 | TCC Manipulation |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1548.003 | Sudo and Sudo Caching |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1548.002 | Bypass User Account Control |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1059.005 | Visual Basic |
Comments
This diagnostic statement prevents adversaries from abusing commands, scripts, or binaries by blocking the execution of scripts and malicious code that pop up via adblockers and ads.
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring the use of vulnerability scanning of third-party application development to scan for common vulnerabilities like SQL injection or cross-site scripting (XSS), including the use of regular scans post major changes to identify newly introduced vulnerabilities.
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring the use of vulnerability scanning of third-party application development to scan for common vulnerabilities like SQL injection or cross-site scripting (XSS), including the use of regular scans post major changes to identify newly introduced vulnerabilities.
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1554 | Compromise Host Software Binary |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1542.002 | Component Firmware |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1036.001 | Invalid Code Signature |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1036 | Masquerading |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1195 | Supply Chain Compromise |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement prevents adversaries from manipulating data that is in transit. Encrypting and/or obfuscating data can be used to protect sensitive data from being accessed by adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1565.001 | Stored Data Manipulation |
Comments
This diagnostic statement prevents adversaries from manipulating data at rest. storing data remotely can be used to properly manage data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1114.001 | Local Email Collection |
Comments
This diagnostic statement prevents adversaries from manipulating emails and having the ability to collect sensitive data (PII) from users. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1070.008 | Clear Mailbox Data |
Comments
Storing data remotely can be used to properly manage data so that adversaries won't be able to modify mail and mail application data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1070.002 | Clear Linux or Mac System Logs |
Comments
Utilizing methods that can obfuscate and/or encrypt event files locally and in transit can prevent adversaries from clearing system logs and feeding them to adversaries. Also, storing data remotely can be used to properly manage data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1070 | Indicator Removal |
Comments
Storing data remotely can be used to properly manage data so that adversaries won't be able to interfere with processes used to detect intrusion activities. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via Active Directory domain databases. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1558.005 | Ccache Files |
Comments
This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and abusing Kerberos by stealing tickets in credential cache files. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and abusing Kerberos by stealing tickets to enforce unauthorized access. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1557.004 | Evil Twin |
Comments
This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and enticing users to connecting to malicious networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement prevents adversaries from being able to steal data in transit between networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1552.004 | Private Keys |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via private key certificate files. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement prevents adversaries from being able to steal application access token by bypassing regular authentication methods and accessing restricting accounts and user credentials. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement prevents adversaries from being able to manipulate mechanisms to gain access to user's higher-level permissions and control elevated privileges. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement prevents adversaries from collecting sensitive data from cloud storage solutions, such as Amazon S3, Azure, Storage, and Google Cloud. Permissions on cloud storage should be frequently checked and encrypting sensitive data in the cloud should be managed properly. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1213.004 | Customer Relationship Management Software |
Comments
This diagnostic statement prevents adversaries from leveraging sensitive (PII) data from customer relationship management software by sending phishing emails or targeting organization's customers in ways that enable financial gain. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1119 | Automated Collection |
Comments
This diagnostic statement prevents adversaries from using automated techniques for collecting internal data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1114.003 | Email Forwarding Rule |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. It also prevents adversaries from abusing email forwarding rules. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1114.002 | Remote Email Collection |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. It also prevents adversaries from manipulating data via exchange server, Office 365, or Google Workspace from trying to collect sensitive information. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. here may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement protects data from being easily manipulated by adversaries that try to clear Windows event logs by intruding different activities. Encrypting files locally and in transit shall avoid giving data to an adversary. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1040 | Network Sniffing |
Comments
This diagnostic statement protects data from being easily manipulated by adversaries due to network sniffing while authentication material is being passed over networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1020.001 | Traffic Duplication |
Comments
This diagnostic statement protects data from being exfiltrated from adversaries via traffic monitoring. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1565.001 | Stored Data Manipulation |
Comments
This diagnostic statement highlights the critical importance of implementing remote data storage solutions as a safeguard against potential adversarial attempts to manipulate or conceal stored data (i.e. file formats, databases, stored emails, and custom file formats), which could negatively impact business operations and organizational data integrity.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1565 | Data Manipulation |
Comments
This diagnostic statement highlights the critical importance of implementing remote data storage solutions as a safeguard against potential adversarial attempts to manipulate or conceal data, which could negatively impact business operations and organizational data integrity.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1498.002 | Reflection Amplification |
Comments
This diagnostic statement focuses on safeguarding IP addresses from potential attacks by adversaries targeting third party servers and causing DoS attacks. Additionally, the integration of third-party services is recommended to support the development of a comprehensive business continuity plan, ensuring an effective response to such incidents.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1498.001 | Direct Network Flood |
Comments
This diagnostic statement focuses on safeguarding IP addresses from potential attacks by adversaries, including Network Denial of Service (DoS) attacks targeting the availability and functionality of networks. Additionally, the integration of third-party services is recommended to support the development of a comprehensive business continuity plan, ensuring an effective response to such incidents.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1498 | Network Denial of Service |
Comments
This diagnostic statement focuses on safeguarding IP addresses from potential attacks by adversaries, including Network Denial of Service (DoS) attacks targeting websites, email services, and web-based applications. Additionally, the integration of third-party services is recommended to support the development of a comprehensive business continuity plan, ensuring an effective response to such incidents.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries may attempt to hinder the recovery of a compromised system.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1486 | Data Encrypted for Impact |
Comments
This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries may attempt to target data on encrypted systems by using ransomware.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries may attempt to modify policies of cloud storage and data within it.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1485 | Data Destruction |
Comments
This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to destroy data and/or files on systems found within a large network.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1561.002 | Disk Structure Wipe |
Comments
This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to erase disk data structures on hard dives or within networks.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1561.001 | Disk Content Wipe |
Comments
This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to erase content found on storage devices on systems or within networks.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1561 | Disk Wipe |
Comments
This diagnostic statement emphasizes the facilitation of data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, specifically designed to address scenarios in which adversaries attempt to corrupt raw disk data on systems or within networks.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1491.002 | External Defacement |
Comments
This diagnostic statement emphasizes the importance of facilitating data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, aimed at mitigating the risks posed by potential adversarial attempts to compromise or manipulate organization's content and systems externally by targeting users through messages or propaganda.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1491.001 | Internal Defacement |
Comments
This diagnostic statement emphasizes the importance of facilitating data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, aimed at mitigating the risks posed by potential adversarial attempts to compromise or manipulate content internally within an organization's network.
|
| ID.IM-02.06 | Accurate data recovery | Mitigates | T1491 | Defacement |
Comments
This diagnostic statement emphasizes the importance of facilitating data recovery through the implementation of robust data backup strategies, comprehensive disaster recovery plans, and effective business continuity frameworks, aimed at mitigating the risks posed by potential adversarial attempts to compromise or manipulate content within an enterprise network.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1078.004 | Cloud Accounts |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1078.002 | Domain Accounts |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1078.001 | Default Accounts |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1563 | Remote Service Session Hijacking |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1047 | Windows Management Instrumentation |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1578.005 | Modify Cloud Compute Configurations |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1578 | Modify Cloud Compute Infrastructure |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1657 | Financial Theft |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1006 | Direct Volume Access |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1555.003 | Credentials from Web Browsers |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1543.005 | Container Service |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1543.002 | Systemd Service |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1609 | Container Administration Command |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1059.008 | Network Device CLI |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1619 | Cloud Storage Object Discovery |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1538 | Cloud Service Dashboard |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1580 | Cloud Infrastructure Discovery |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1110 | Brute Force |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1547.013 | XDG Autostart Entries |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1547.012 | Print Processors |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1547.009 | Shortcut Modification |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1547.006 | Kernel Modules and Extensions |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1547.004 | Winlogon Helper DLL |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1197 | BITS Jobs |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1020.001 | Traffic Duplication |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1098.006 | Additional Container Cluster Roles |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1098.004 | SSH Authorized Keys |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1087.004 | Cloud Account |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1087 | Account Discovery |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1134.003 | Make and Impersonate Token |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1134.002 | Create Process with Token |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1134.001 | Token Impersonation/Theft |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1134 | Access Token Manipulation |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1548.005 | Temporary Elevated Cloud Access |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1609 | Container Administration Command |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1059.008 | Network Device CLI |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1651 | Cloud Administration Command |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1555 | Credentials from Password Stores |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1649 | Steal or Forge Authentication Certificates |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1003.001 | LSASS Memory |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1187 | Forced Authentication |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1078.004 | Cloud Accounts |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1078.002 | Domain Accounts |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1078.001 | Default Accounts |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1021.007 | Cloud Services |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1021.004 | SSH |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1599 | Network Boundary Bridging |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1601.002 | Downgrade System Image |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1601.001 | Patch System Image |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1556.006 | Multi-Factor Authentication |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1593.003 | Code Repositories |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1110.002 | Password Cracking |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1110.004 | Credential Stuffing |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1110.003 | Password Spraying |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1110.001 | Password Guessing |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1110 | Brute Force |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1098.006 | Additional Container Cluster Roles |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1098.005 | Device Registration |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
|
| PR.AA-05.04 | Third-party access management | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Conditional access policies can be used to block logins from non-compliant devices or from outside defined IP ranges.
|
| PR.AA-05.04 | Third-party access management | Mitigates | T1110 | Brute Force |
Comments
This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks.
|
| PR.AA-05.04 | Third-party access management | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party or if the party is compromised by an adversary.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network filtering, defense-in-depth, and access isolation principles provides protection against adversaries trying to obtain unsecured credentials.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1552.007 | Container API |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing secure network configuration, defense-in-depth, and access isolation principles provides protection against adversaries attempting to obtain credentials via APIs within a containers environment.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation to isolate infrastructure and limit access through trusted third party relationships.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. The permissions required for execution of this technique vary by system configuration. Employing proper system isolation can protect critical network systems from potential exploitation.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1489 | Service Stop |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing defense-in-depth and access isolation provides protection against adversaries attempting to stop services.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing measures such as blocking RDP traffic between network security zones provides protection against adversaries attempting to use RDP to expand access.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1021.003 | Distributed Component Object Model |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing measures such as Windows Firewall provides protection against adversaries attempting to exploit Distributed Component Object Model.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1021.006 | Windows Remote Management |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing measures such as blocking or restricting WinRM provides protection against adversaries attempting to exploit this service.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1563 | Remote Service Session Hijacking |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Blocking network traffic that is not necessary can mitigate, or at least alleviate, use of remote services to move laterally in an environment.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Blocking network traffic that is not necessary can mitigate, or at least alleviate, use of remote desktop to move laterally in an environment.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1571 | Non-Standard Port |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and proper systems can mitigate use of this technique.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1095 | Non-Application Layer Protocol |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Configuring firewalls and proxies to limit outgoing traffic to only necessary ports and proper systems can mitigate use of this technique.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1040 | Network Sniffing |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing measures such as denying direct access of broadcasts and multicast sniffing can prevent network sniffing attacks.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1046 | Network Service Discovery |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing proper network segmentation can protect critical servers and devices from discovery and potential exploitation.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Denying direct remote access to internal systems to prevent adversaries from leveraging external-facing remote services to access and/or persist within a network.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Segmenting externally facing networks and systems appropriately to mitigate exploitation of remote services.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Segment externally facing servers and services to mitigate exploitation of public-facing applications.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Network firewall configurations that allow only necessary ports and traffic can mitigate exfiltration of data over alternate protocols.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Network firewall configurations that allow only necessary ports and traffic can mitigate exfiltration of data over alternate protocols.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Network firewall configurations that allow only necessary ports and traffic can mitigate exfiltration of data over alternate protocols.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Network firewall configurations that allow only necessary ports and traffic can mitigate exfiltration of data over alternate protocols.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1482 | Domain Trust Discovery |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation for sensitive domains can help prevent adversary exploitation of domain trust relationships.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1610 | Deploy Container |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation to deny direct remote access to internal systems externally provides protection against adversaries attempting to deploy containers.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1565 | Data Manipulation |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to isolate and secure systems hosting critical business and system processes.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1565.003 | Runtime Data Manipulation |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to isolate and secure systems hosting critical business and system processes.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to segregate traffic to provide protection against adversaries attempting to obtain data from configuration repositories.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to segregate traffic to provide protection against adversaries attempting to obtain data from configuration repositories.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employ network segmentation to segregate traffic to provide protection against adversaries attempting to obtain data from configuration repositories.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Limit access to critical systems and domain controllers to provide protection against adversaries attempting to create accounts.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Limit access to critical systems and domain controllers to provide protection against adversaries attempting to create accounts.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Limit access to critical systems and domain controllers to provide protection against adversaries attempting to create accounts.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1613 | Container and Resource Discovery |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation to deny direct remote access to internal systems externally provides protection against adversaries attempting to discover resources in container environments.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1612 | Build Image on Host |
Comments
This diagnostic statement protects against Build Image on Host through the use of network segmentation, firewalls, secure network configuration, defense-in-depth and access isolation principles. Employing defense-in-depth and access isolation principles provides protection against adversaries attempting to build image on host.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Isolate infrastructure components and blocking network traffic that is not necessary can mitigate, or at least alleviate, the scope of AiTM activity.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Isolate infrastructure components and blocking network traffic that is not necessary can mitigate, or at least alleviate, the scope of AiTM activity.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing proper network segmentation limits access to critical systems and domain controllers.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing proper network segmentation limits access to critical systems and domain controllers.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1552.005 | Cloud Instance Metadata API |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network filtering, defense-in-depth, and access isolation principles provides protection against adversaries attempting to obtain credentials and other sensitive data.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1557.002 | ARP Cache Poisoning |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Isolate infrastructure components and blocking network traffic that is not necessary can mitigate, or at least alleviate, the scope of AiTM activity.
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1557.003 | DHCP Spoofing |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Isolate infrastructure components and blocking network traffic that is not necessary can mitigate, or at least alleviate, the scope of AiTM activity.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1102 | Web Service |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1104 | Multi-Stage Channels |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1008 | Fallback Channels |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1573 | Encrypted Channel |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1030 | Data Transfer Size Limits |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1071.001 | Web Protocols |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1567 | Exfiltration Over Web Service |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1599 | Network Boundary Bridging |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1499 | Endpoint Denial of Service |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1498 | Network Denial of Service |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1020 | Automated Exfiltration |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1567 | Exfiltration Over Web Service |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1046 | Network Service Discovery |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1571 | Non-Standard Port |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1552.007 | Container API |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1552.005 | Cloud Instance Metadata API |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1090.003 | Multi-hop Proxy |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1090 | Proxy |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1095 | Non-Application Layer Protocol |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1021.005 | VNC |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1071.005 | Publish/Subscribe Protocols |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1071.004 | DNS |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1071 | Application Layer Protocol |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1557.003 | DHCP Spoofing |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1557.002 | ARP Cache Poisoning |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1498.001 | Direct Network Flood |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic and using ISP or third-party providers, enables blocking IP addresses and protocols used for transport.
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1498.002 | Reflection Amplification |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport.
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1498 | Network Denial of Service |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport.
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1499.004 | Application or System Exploitation |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport.
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1499.003 | Application Exhaustion Flood |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to exploit software vulnerabilities that can cause an application or system to crash. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport.
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1499.002 | Service Exhaustion Flood |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport.
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1499 | Endpoint Denial of Service |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to block availability of services to user by attempting to conduct DoS attacks. Implementing mitigation strategies, such as filtering network traffic, enables blocking IP addresses and protocols used for transport.
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1561.002 | Disk Structure Wipe |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to corrupt or wipe the disk data structures on a hard drive. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information.
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1561.001 | Disk Content Wipe |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to erase contents of storage devices on systems and networks. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information.
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1561 | Disk Wipe |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to render stored data on local and remote drives via encryption. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information.
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1486 | Data Encrypted for Impact |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by attempting to wiping disk data on system and network resources. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information.
|
| PR.IR-04.02 | Availability and capacity management | Mitigates | T1485 | Data Destruction |
Comments
This diagnostic approach safeguards systems and network resources from adversaries seeking to disrupt availability by destroying data files. Implementing mitigation strategies, such as data backup, enables the restoration of organizational plans and critical information. Additionally, the use of multi-factor authentication serves as an effective measure to restrict unauthorized access to credentials, thereby reducing the risk of data destruction.
|
| PR.PS-01.04 | Time services and synchronization | Mitigates | T1498.002 | Reflection Amplification |
Comments
NTP amplification is a specialized form of distributed denial-of-service (DDoS) reflection amplification attacks that exploits the Network Time Protocol (NTP) to overwhelm victims with high volumes of traffic. This diagnostic statement describes practice guidance to secure and manage time synchronization infrastructure. To mitigate this technique under best practice guidance, consider patching NTP Software to remove dangerous amplifying commands like monlist; enable authentication for NTP changes to mitigate anonymous abuse; filtering of inbound UDP port 123 prevents reception of NTP; limit access to NTP servers to just authorized hots rather than global organizational access to prevent potential wide-spread abuse of DDoS reflection attacks.
|
| PR.PS-01.04 | Time services and synchronization | Mitigates | T1070.006 | Timestomp |
Comments
The ATT&CK technique T1070.006 involves adversaries modifying file timestamps to evade detection or forensic analysis. The diagnostic statement describes maintaining and securing accurate and synchronized time values across systems. Organizations can mitigate this technique through the use of secure and authenticated time synchronization protocols (e.g., NTP with authentication) to prevent adversaries from tampering with time values of files and artifacts.
|
| PR.PS-01.04 | Time services and synchronization | Mitigates | T1497.003 | Time Based Evasion |
Comments
The diagnostic statement focuses on the importance of maintaining and securing the accurate and synchronized time values across systems. The ATT&CK technique T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion involves adversaries using time-based evasion methods to detect or bypass virtualization or sandbox environments. Organizations can mitigate these methods by ensuring time integrity, accurate time synchronization, and hardening time services across virtualized and sandbox environments.
|
| PR.PS-01.04 | Time services and synchronization | Mitigates | T1547.003 | Time Providers |
Comments
The diagnostic statement focuses on the importance of maintaining accurate and resilient time synchronization across systems. By ensuring that time services are designed with security and reliability in mind, organizations reduce the risk of adversaries tampering with time provider components or disrupting time synchronization processes described in the Boot or Logon Autostart Execution: Time Providers technique.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1525 | Implant Internal Image |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Periodically checking the integrity of images and containers used in virtualized deployments to ensure they have not been modified to include malicious software may aid in mitigating this type of adversary technique.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1612 | Build Image on Host |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. Mitigating mechanisms such as network segmentation, limiting access to resources over the network, and privileged account management may aid in limiting malicious images with direct remote access to internal systems through the use of network proxies, gateways, privileged accounts, and firewalls.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1485 | Data Destruction |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. They may delete virtual machines from on-prem virtualized environments. For example, implementing multi-factor authentication (MFA) delete for cloud storage resources, such as AWS S3 buckets, to prevent unauthorized deletion of critical data and infrastructure.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1204.003 | Malicious Image |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may rely on a user running a malicious image to facilitate execution. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the virtualized instance or container. Mitigating controls such as execution prevention, NIPS, EDRs and behavior prevention on endpoints may provide mitigating mechanisms to prevent the running of executables coming from virtualized machines onto the host or network.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1204 | User Execution |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may rely on a user running a malicious image to facilitate execution. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the virtualized instance or container. Mitigating controls such as execution prevention, NIPS, EDRs and behavior prevention on endpoints may provide mitigating mechanisms to prevent the running of executables coming from virtualized machines onto the host or network.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578.005 | Modify Cloud Compute Configurations |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578.004 | Revert Cloud Instance |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578.003 | Delete Cloud Instance |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578.002 | Create Cloud Instance |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578.001 | Create Snapshot |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578 | Modify Cloud Compute Infrastructure |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1564.006 | Run Virtual Instance |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may carry out malicious operations using a virtual instance to avoid detection. After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system. To aid in mitigating this technique, consider using application control mechanisms to mitigate installation and use of unapproved virtualization software, shared folders not necessary within a given environment, and periodically audit virtual machines for abnormalities.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1651 | Cloud Administration Command |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. To help with mitigating this technique, consider limiting the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1210 | Exploitation of Remote Services |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1212 | Exploitation for Credential Access |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1203 | Exploitation for Client Execution |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. Application isolation will limit what other processes and system features the exploited target can access, thus aiding with mitigations related to exploiting public facing applications.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1027.006 | HTML Smuggling |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes this technique, browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1611 | Escape to Host |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. For the Escape to Host technique, consider utilizing solutions that restricts certain system calls such as mount from the virtualized machine to the host. In Kubernetes environments, consider defining Pod Security Standards that limit container access to host process namespaces, the host network, and the host file system.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1189 | Drive-by Compromise |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to the Drive-By-Compromise, browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. Other types of virtualization and application micro-segmentation may also mitigate the impact of client-side exploitation from the virtualized machine.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1021.003 | Distributed Component Object Model |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1021.005 | VNC |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1021.006 | Windows Remote Management |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of remote services.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of alternate protocols to exfiltrate data.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of alternate protocols to exfiltrate data.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of alternate protocols to exfiltrate data.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of alternate protocols to exfiltrate data.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1071 | Application Layer Protocol |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of application layer protocols.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1071.005 | Publish/Subscribe Protocols |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of application layer protocols.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1095 | Non-Application Layer Protocol |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversary use of non-application layer protocols.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversaries from leveraging externally-facing remote services to initially access and/or persist within a network.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1187 | Forced Authentication |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can mitigate adversaries from obtaining credentials through forced authentication.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1197 | BITS Jobs |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Using network appliances to to only allow legitimate BITS traffic can mitigate adversary abuse of BITS Jobs.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1218.012 | Verclsid |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic can help to mitigate this technique.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1219 | Remote Access Software |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic can mitigate adversary abuse of remote access software.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing IP-based restrictions for accessing cloud resources can mitigate adversary access to data in cloud storage.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing network-based filtering restrictions can mitigate data transfers to untrusted VPCs.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit access can mitigate adversary abuse of pre-OS boot mechanisms.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions on untrusted network sources can mitigate adversary abuse of TFTP boot (netbooting).
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions that limit network access and communications with services can prevent adversaries from finding stored credentials.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1552.005 | Cloud Instance Metadata API |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions that limit network access and communications with services can prevent adversaries from finding stored credentials.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1552.007 | Container API |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Employing restrictions that limit network access and communications with services can prevent adversaries from finding stored credentials.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can prevent leveraging for AiTM conditions.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1557.002 | ARP Cache Poisoning |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic that is not necessary within the environment can prevent leveraging for AiTM conditions.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit access can prevent RDP hijacking.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic to untrusted or known bad domains and resources can prevent tunnelling of network communications.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing extended ACLs to block unauthorized protocols can mitigate adversary access to data in configuration repositories.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing extended ACLs to block unauthorized protocols can mitigate adversary access to data in configuration repositories.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, protocols) aligned to security baselines. Employing extended ACLs to block unauthorized protocols can mitigate adversary access to data in configuration repositories.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1609 | Container Administration Command |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversary abuse of container administration.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1612 | Build Image on Host |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversaries from building container images on hosts.
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1613 | Container and Resource Discovery |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to limit communications with container services can prevent adversaries from discovering resources in container environments.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1001 | Data Obfuscation |
Comments
This diagnostic statement protects against Data Obfuscation through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1001.001 | Junk Data |
Comments
This diagnostic statement protects against Junk Data through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1001.002 | Steganography |
Comments
This diagnostic statement protects against Steganography through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1001.003 | Protocol or Service Impersonation |
Comments
This diagnostic statement protects against Protocol or Service Impersonation through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1008 | Fallback Channels |
Comments
This diagnostic statement protects against Fallback Channels through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement protects against Remote Services through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement protects against Remote Desktop Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
This diagnostic statement protects against SMB/Windows Admin Shares through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1021.005 | VNC |
Comments
This diagnostic statement protects against VNC through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1029 | Scheduled Transfer |
Comments
This diagnostic statement protects against Scheduled Transfer through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1030 | Data Transfer Size Limits |
Comments
This diagnostic statement protects against Data Transfer Size Limits through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1041 | Exfiltration Over C2 Channel |
Comments
This diagnostic statement protects against Exfiltration Over C2 Channel through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1046 | Network Service Discovery |
Comments
This diagnostic statement protects against Network Service Discovery through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Symmetric Encrypted Non-C2 Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Asymmetric Encrypted Non-C2 Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Unencrypted Non-C2 Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1071 | Application Layer Protocol |
Comments
This diagnostic statement protects against Application Layer Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1071.001 | Web Protocols |
Comments
This diagnostic statement protects against Web Protocols through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1071.002 | File Transfer Protocols |
Comments
This diagnostic statement protects against File Transfer Protocols through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1071.003 | Mail Protocols |
Comments
This diagnostic statement protects against Mail Protocols through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1071.004 | DNS |
Comments
This diagnostic statement protects against DNS through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1071.005 | Publish/Subscribe Protocols |
Comments
This diagnostic statement protects against Publish/Subscribe Protocols through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1090 | Proxy |
Comments
This diagnostic statement protects against Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1090.001 | Internal Proxy |
Comments
This diagnostic statement protects against Internal Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1090.002 | External Proxy |
Comments
This diagnostic statement protects against External Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1090.003 | Multi-hop Proxy |
Comments
This diagnostic statement protects against Multi-hop Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1095 | Non-Application Layer Protocol |
Comments
This diagnostic statement protects against Non-Application Layer Protocol through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1102 | Web Service |
Comments
This diagnostic statement protects against Web Service through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1102.001 | Dead Drop Resolver |
Comments
This diagnostic statement protects against Dead Drop Resolver through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1102.002 | Bidirectional Communication |
Comments
This diagnostic statement protects against Bidirectional Communication through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1102.003 | One-Way Communication |
Comments
This diagnostic statement protects against One-Way Communication through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1104 | Multi-Stage Channels |
Comments
This diagnostic statement protects against Multi-Stage Channels through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1105 | Ingress Tool Transfer |
Comments
This diagnostic statement protects against Ingress Tool Transfer through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1132 | Data Encoding |
Comments
This diagnostic statement protects against Data Encoding through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1132.001 | Standard Encoding |
Comments
This diagnostic statement protects against Standard Encoding through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1132.002 | Non-Standard Encoding |
Comments
This diagnostic statement protects against Non-Standard Encoding through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1187 | Forced Authentication |
Comments
This diagnostic statement protects against Forced Authentication through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1197 | BITS Jobs |
Comments
This diagnostic statement protects against BITS Jobs through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement protects against Hardware Additions through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1204 | User Execution |
Comments
This diagnostic statement protects against User Execution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1204.001 | Malicious Link |
Comments
This diagnostic statement protects against Malicious Link through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1204.003 | Malicious Image |
Comments
This diagnostic statement protects against Malicious Image through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1205 | Traffic Signaling |
Comments
This diagnostic statement protects against Traffic Signaling through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1205.001 | Port Knocking |
Comments
This diagnostic statement protects against Port Knocking through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1205.002 | Socket Filters |
Comments
This diagnostic statement protects against Socket Filters through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement protects against System Binary Proxy Execution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1218.012 | Verclsid |
Comments
This diagnostic statement protects against Verclsid through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1219 | Remote Access Software |
Comments
This diagnostic statement protects against Remote Access Software through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1221 | Template Injection |
Comments
This diagnostic statement protects against Template Injection through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1498 | Network Denial of Service |
Comments
This diagnostic statement protects against Network Denial of Service through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1498.001 | Direct Network Flood |
Comments
This diagnostic statement protects against Direct Network Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1498.002 | Reflection Amplification |
Comments
This diagnostic statement protects against Reflection Amplification through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1499 | Endpoint Denial of Service |
Comments
This diagnostic statement protects against Endpoint Denial of Service through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1499.001 | OS Exhaustion Flood |
Comments
This diagnostic statement protects against OS Exhaustion Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1499.002 | Service Exhaustion Flood |
Comments
This diagnostic statement protects against Service Exhaustion Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1499.003 | Application Exhaustion Flood |
Comments
This diagnostic statement protects against Application Exhaustion Flood through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1499.004 | Application or System Exploitation |
Comments
This diagnostic statement protects against Application or System Exploitation through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement protects against Data from Cloud Storage through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement protects against Transfer Data to Cloud Account through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement protects against Pre-OS Boot through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1542.004 | ROMMONkit |
Comments
This diagnostic statement protects against ROMMONkit through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement protects against TFTP Boot through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1546 | Event Triggered Execution |
Comments
This diagnostic statement protects against Event Triggered Execution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1546.008 | Accessibility Features |
Comments
This diagnostic statement protects against Accessibility Features through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1552.005 | Cloud Instance Metadata API |
Comments
This diagnostic statement protects against Cloud Instance Metadata API through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1552.007 | Container API |
Comments
This diagnostic statement protects against Container API through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement protects against Adversary-in-the-Middle through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Comments
This diagnostic statement protects against LLMNR/NBT-NS Poisoning and SMB Relay through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1557.002 | ARP Cache Poisoning |
Comments
This diagnostic statement protects against ARP Cache Poisoning through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1557.003 | DHCP Spoofing |
Comments
This diagnostic statement protects against DHCP Spoofing through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1557.004 | Evil Twin |
Comments
This diagnostic statement protects against Evil Twin through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1563 | Remote Service Session Hijacking |
Comments
This diagnostic statement protects against Remote Service Session Hijacking through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement protects against RDP Hijacking through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1566 | Phishing |
Comments
This diagnostic statement protects against Phishing through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement protects against Spearphishing Attachment through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1568 | Dynamic Resolution |
Comments
This diagnostic statement protects against Dynamic Resolution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1568.002 | Domain Generation Algorithms |
Comments
This diagnostic statement protects against Domain Generation Algorithms through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1570 | Lateral Tool Transfer |
Comments
This diagnostic statement protects against Lateral Tool Transfer through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1571 | Non-Standard Port |
Comments
This diagnostic statement protects against Non-Standard Port through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement protects against Protocol Tunneling through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1573 | Encrypted Channel |
Comments
This diagnostic statement protects against Encrypted Channel through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1573.001 | Symmetric Cryptography |
Comments
This diagnostic statement protects against Symmetric Cryptography through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1573.002 | Asymmetric Cryptography |
Comments
This diagnostic statement protects against Asymmetric Cryptography through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1599 | Network Boundary Bridging |
Comments
This diagnostic statement protects against Network Boundary Bridging through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement protects against Network Address Translation Traversal through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement protects against Data from Configuration Repository through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement protects against SNMP (MIB Dump) through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement protects against Network Device Configuration Dump through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1609 | Container Administration Command |
Comments
This diagnostic statement protects against Container Administration Command through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1610 | Deploy Container |
Comments
This diagnostic statement protects against Deploy Container through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1612 | Build Image on Host |
Comments
This diagnostic statement protects against Build Image on Host through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1613 | Container and Resource Discovery |
Comments
This diagnostic statement protects against Container and Resource Discovery through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1021.003 | Distributed Component Object Model |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1040 | Network Sniffing |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1046 | Network Service Discovery |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1095 | Non-Application Layer Protocol |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1570 | Lateral Tool Transfer |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1571 | Non-Standard Port |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1573 | Encrypted Channel |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1573.001 | Symmetric Cryptography |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1573.002 | Asymmetric Cryptography |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1546 | Event Triggered Execution |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1546.003 | Windows Management Instrumentation Event Subscription |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1552.002 | Credentials in Registry |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1552.007 | Container API |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1563 | Remote Service Session Hijacking |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1609 | Container Administration Command |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1611 | Escape to Host |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1612 | Build Image on Host |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.05 | Remote access protection | Mitigates | T1621 | Multi-Factor Authentication Request Generation |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1021.003 | Distributed Component Object Model |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1021.006 | Windows Remote Management |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1021.007 | Cloud Services |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1046 | Network Service Discovery |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1059.008 | Network Device CLI |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1059.009 | Cloud API |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1095 | Non-Application Layer Protocol |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1098.002 | Additional Email Delegate Permissions |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1134 | Access Token Manipulation |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1218.007 | Msiexec |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1505 | Server Software Component |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1505.004 | IIS Components |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1542.003 | Bootkit |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1543.002 | Systemd Service |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1546.008 | Accessibility Features |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1546 | Event Triggered Execution |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1547.006 | Kernel Modules and Extensions |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1548.006 | TCC Manipulation |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1550.002 | Pass the Hash |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1552.005 | Cloud Instance Metadata API |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1552.007 | Container API |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1553.006 | Code Signing Policy Modification |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1555 | Credentials from Password Stores |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1557.002 | ARP Cache Poisoning |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1559 | Inter-Process Communication |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1559.001 | Component Object Model |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1563 | Remote Service Session Hijacking |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1606 | Forge Web Credentials |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1609 | Container Administration Command |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1611 | Escape to Host |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
|
| PR.IR-01.08 | End-user device access | Mitigates | T1547.006 | Kernel Modules and Extensions |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
|
| PR.PS-01.02 | Least functionality | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement provides for the implementation of procedures for management of third party products. Managing accounts and permissions used by parties in trusted relationships helps minimize potential abuse by the party or if the party is compromised by an adversary.
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1525 | Implant Internal Image |
Comments
This diagnostic statement provides for the implementation of procedures for management of third party products such as ensuring cloud service providers support content trust models that require container images be signed by trusted source.
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement provides for the implementation of procedures for management of third party products such as cloud storage solutions.
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1195.003 | Compromise Hardware Supply Chain |
Comments
This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products.
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement provides for the implementation of procedures for management of third party products such as vendor provided digitally signed operating system images to validate the integrity of the software used on their platform.
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1601.001 | Patch System Image |
Comments
This diagnostic statement provides for the implementation of procedures for management of third party products such as vendor provided digitally signed operating system images to validate the integrity of the software used on their platform.
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1601.002 | Downgrade System Image |
Comments
This diagnostic statement provides for the implementation of procedures for management of third party products such as vendor provided digitally signed operating system images to validate the integrity of the software used on their platform.
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1554 | Compromise Host Software Binary |
Comments
This diagnostic statement provides for the implementation of procedures for management of third party products such as ensuring the authenticity and integrity of software.
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1195 | Supply Chain Compromise |
Comments
This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products.
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products.
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement prevents adversaries from manipulating data that is in transit. Encrypting and/or obfuscating data can be used to protect sensitive data from being accessed by adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1565.001 | Stored Data Manipulation |
Comments
This diagnostic statement prevents adversaries from manipulating data at rest. storing data remotely can be used to properly manage data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1114.001 | Local Email Collection |
Comments
This diagnostic statement prevents adversaries from manipulating emails and having the ability to collect sensitive data (PII) from users. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1070.008 | Clear Mailbox Data |
Comments
Storing data remotely can be used to properly manage data so that adversaries won't be able to modify mail and mail application data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1070.002 | Clear Linux or Mac System Logs |
Comments
Utilizing methods that can obfuscate and/or encrypt event files locally and in transit can prevent adversaries from clearing system logs and feeding them to adversaries. Also, storing data remotely can be used to properly manage data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1070 | Indicator Removal |
Comments
Storing data remotely can be used to properly manage data so that adversaries won't be able to interfere with processes used to detect intrusion activities. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via Active Directory domain databases. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1558.005 | Ccache Files |
Comments
This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and abusing Kerberos by stealing tickets in credential cache files. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and abusing Kerberos by stealing tickets to enforce unauthorized access. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1557.004 | Evil Twin |
Comments
This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and enticing users to connecting to malicious networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement prevents adversaries from being able to steal data in transit between networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1552.004 | Private Keys |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries via private key certificate files. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement prevents adversaries from being able to steal application access token by bypassing regular authentication methods and accessing restricting accounts and user credentials. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement prevents adversaries from being able to manipulate mechanisms to gain access to user's higher-level permissions and control elevated privileges. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement prevents adversaries from collecting sensitive data from cloud storage solutions, such as Amazon S3, Azure, Storage, and Google Cloud. Permissions on cloud storage should be frequently checked and encrypting sensitive data in the cloud should be managed properly. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1213.004 | Customer Relationship Management Software |
Comments
This diagnostic statement prevents adversaries from leveraging sensitive (PII) data from customer relationship management software by sending phishing emails or targeting organization's customers in ways that enable financial gain. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1119 | Automated Collection |
Comments
This diagnostic statement prevents adversaries from using automated techniques for collecting internal data. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1114.003 | Email Forwarding Rule |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. It also prevents adversaries from abusing email forwarding rules. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1114.002 | Remote Email Collection |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. It also prevents adversaries from manipulating data via exchange server, Office 365, or Google Workspace from trying to collect sensitive information. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries found in emails. here may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement protects data from being easily manipulated by adversaries that try to clear Windows event logs by intruding different activities. Encrypting files locally and in transit shall avoid giving data to an adversary. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1040 | Network Sniffing |
Comments
This diagnostic statement protects data from being easily manipulated by adversaries due to network sniffing while authentication material is being passed over networks. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1020.001 | Traffic Duplication |
Comments
This diagnostic statement protects data from being exfiltrated from adversaries via traffic monitoring. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects credential data and sensitive PII from being stolen from adversaries. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1003 | OS Credential Dumping |
Comments
This diagnostic statement protects against OS Credential Dumping through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1003.001 | LSASS Memory |
Comments
This diagnostic statement protects against LSASS Memory through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1003.002 | Security Account Manager |
Comments
This diagnostic statement protects against Security Account Manager through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1003.003 | NTDS |
Comments
This diagnostic statement protects against NTDS through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1003.004 | LSA Secrets |
Comments
This diagnostic statement protects against LSA Secrets through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1003.005 | Cached Domain Credentials |
Comments
This diagnostic statement protects against Cached Domain Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1003.006 | DCSync |
Comments
This diagnostic statement protects against DCSync through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1003.007 | Proc Filesystem |
Comments
This diagnostic statement protects against Proc Filesystem through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1003.008 | /etc/passwd and /etc/shadow |
Comments
This diagnostic statement protects against /etc/passwd and /etc/shadow through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1006 | Direct Volume Access |
Comments
This diagnostic statement protects against Direct Volume Access through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1020.001 | Traffic Duplication |
Comments
This diagnostic statement protects against Traffic Duplication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement protects against Remote Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement protects against Remote Desktop Protocol through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
This diagnostic statement protects against SMB/Windows Admin Shares through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1021.004 | SSH |
Comments
This diagnostic statement protects against SSH through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1021.007 | Cloud Services |
Comments
This diagnostic statement protects against Cloud Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1021.008 | Direct Cloud VM Connections |
Comments
This diagnostic statement protects against Direct Cloud VM Connections through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1036 | Masquerading |
Comments
This diagnostic statement protects against Masquerading through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1036.010 | Masquerade Account Name |
Comments
This diagnostic statement protects against Masquerade Account Name through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1040 | Network Sniffing |
Comments
This diagnostic statement protects against Network Sniffing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1047 | Windows Management Instrumentation |
Comments
This diagnostic statement protects against Windows Management Instrumentation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1053 | Scheduled Task/Job |
Comments
This diagnostic statement protects against Scheduled Task/Job through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1053.002 | At |
Comments
This diagnostic statement protects against At through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1053.003 | Cron |
Comments
This diagnostic statement protects against Cron through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1053.005 | Scheduled Task |
Comments
This diagnostic statement protects against Scheduled Task through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1053.006 | Systemd Timers |
Comments
This diagnostic statement protects against Systemd Timers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1053.007 | Container Orchestration Job |
Comments
This diagnostic statement protects against Container Orchestration Job through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement protects against Command and Scripting Interpreter through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1059.008 | Network Device CLI |
Comments
This diagnostic statement protects against Network Device CLI through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement protects against Software Deployment Tools through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement protects against Valid Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1078.001 | Default Accounts |
Comments
This diagnostic statement protects against Default Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1078.002 | Domain Accounts |
Comments
This diagnostic statement protects against Domain Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1078.003 | Local Accounts |
Comments
This diagnostic statement protects against Local Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1078.004 | Cloud Accounts |
Comments
This diagnostic statement protects against Cloud Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1087 | Account Discovery |
Comments
This diagnostic statement protects against Account Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1087.004 | Cloud Account |
Comments
This diagnostic statement protects against Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1098 | Account Manipulation |
Comments
This diagnostic statement protects against Account Manipulation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1098.001 | Additional Cloud Credentials |
Comments
This diagnostic statement protects against Additional Cloud Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1098.002 | Additional Email Delegate Permissions |
Comments
This diagnostic statement protects against Additional Email Delegate Permissions through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1098.003 | Additional Cloud Roles |
Comments
This diagnostic statement protects against Additional Cloud Roles through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1098.004 | SSH Authorized Keys |
Comments
This diagnostic statement protects against SSH Authorized Keys through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1098.005 | Device Registration |
Comments
This diagnostic statement protects against Device Registration through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1098.006 | Additional Container Cluster Roles |
Comments
This diagnostic statement protects against Additional Container Cluster Roles through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1110 | Brute Force |
Comments
This diagnostic statement protects against Brute Force through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1110.001 | Password Guessing |
Comments
This diagnostic statement protects against Password Guessing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1110.002 | Password Cracking |
Comments
This diagnostic statement protects against Password Cracking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1110.003 | Password Spraying |
Comments
This diagnostic statement protects against Password Spraying through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1110.004 | Credential Stuffing |
Comments
This diagnostic statement protects against Credential Stuffing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement protects against Email Collection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1114.002 | Remote Email Collection |
Comments
This diagnostic statement protects against Remote Email Collection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1134 | Access Token Manipulation |
Comments
This diagnostic statement protects against Access Token Manipulation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1134.001 | Token Impersonation/Theft |
Comments
This diagnostic statement protects against Token Impersonation/Theft through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1134.002 | Create Process with Token |
Comments
This diagnostic statement protects against Create Process with Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1134.003 | Make and Impersonate Token |
Comments
This diagnostic statement protects against Make and Impersonate Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1134.005 | SID-History Injection |
Comments
This diagnostic statement protects against SID-History Injection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1136 | Create Account |
Comments
This diagnostic statement protects against Create Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1136.001 | Local Account |
Comments
This diagnostic statement protects against Local Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1136.002 | Domain Account |
Comments
This diagnostic statement protects against Domain Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1136.003 | Cloud Account |
Comments
This diagnostic statement protects against Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1185 | Browser Session Hijacking |
Comments
This diagnostic statement protects against Browser Session Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1187 | Forced Authentication |
Comments
This diagnostic statement protects against Forced Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1195 | Supply Chain Compromise |
Comments
This diagnostic statement protects against Supply Chain Compromise through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1197 | BITS Jobs |
Comments
This diagnostic statement protects against BITS Jobs through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement protects against Trusted Relationship through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1201 | Password Policy Discovery |
Comments
This diagnostic statement protects against Password Policy Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement protects against Data from Information Repositories through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1213.001 | Confluence |
Comments
This diagnostic statement protects against Confluence through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1213.002 | Sharepoint |
Comments
This diagnostic statement protects against Sharepoint through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1213.003 | Code Repositories |
Comments
This diagnostic statement protects against Code Repositories through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1213.004 | Customer Relationship Management Software |
Comments
This diagnostic statement protects against Customer Relationship Management Software through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1484 | Domain or Tenant Policy Modification |
Comments
This diagnostic statement protects against Domain or Tenant Policy Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1484.001 | Group Policy Modification |
Comments
This diagnostic statement protects against Group Policy Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1484.002 | Trust Modification |
Comments
This diagnostic statement protects against Trust Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1485 | Data Destruction |
Comments
This diagnostic statement protects against Data Destruction through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1485.001 | Lifecycle-Triggered Deletion |
Comments
This diagnostic statement protects against Lifecycle-Triggered Deletion through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1489 | Service Stop |
Comments
This diagnostic statement protects against Service Stop through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1490 | Inhibit System Recovery |
Comments
This diagnostic statement protects against Inhibit System Recovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1505 | Server Software Component |
Comments
This diagnostic statement protects against Server Software Component through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1505.003 | Web Shell |
Comments
This diagnostic statement protects against Web Shell through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1528 | Steal Application Access Token |
Comments
This diagnostic statement protects against Steal Application Access Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement protects against Data from Cloud Storage through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement protects against Transfer Data to Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1538 | Cloud Service Dashboard |
Comments
This diagnostic statement protects against Cloud Service Dashboard through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement protects against Steal Web Session Cookie through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1543 | Create or Modify System Process |
Comments
This diagnostic statement protects against Create or Modify System Process through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1543.002 | Systemd Service |
Comments
This diagnostic statement protects against Systemd Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1543.003 | Windows Service |
Comments
This diagnostic statement protects against Windows Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1543.004 | Launch Daemon |
Comments
This diagnostic statement protects against Launch Daemon through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1543.005 | Container Service |
Comments
This diagnostic statement protects against Container Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1546 | Event Triggered Execution |
Comments
This diagnostic statement protects against Event Triggered Execution through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1546.003 | Windows Management Instrumentation Event Subscription |
Comments
This diagnostic statement protects against Windows Management Instrumentation Event Subscription through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1546.011 | Application Shimming |
Comments
This diagnostic statement protects against Application Shimming through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1547 | Boot or Logon Autostart Execution |
Comments
This diagnostic statement protects against Boot or Logon Autostart Execution through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1547.004 | Winlogon Helper DLL |
Comments
This diagnostic statement protects against Winlogon Helper DLL through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1547.006 | Kernel Modules and Extensions |
Comments
This diagnostic statement protects against Kernel Modules and Extensions through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1547.009 | Shortcut Modification |
Comments
This diagnostic statement protects against Shortcut Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1547.012 | Print Processors |
Comments
This diagnostic statement protects against Print Processors through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1547.013 | XDG Autostart Entries |
Comments
This diagnostic statement protects against XDG Autostart Entries through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement protects against Abuse Elevation Control Mechanism through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1548.002 | Bypass User Account Control |
Comments
This diagnostic statement protects against Bypass User Account Control through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1548.005 | Temporary Elevated Cloud Access |
Comments
This diagnostic statement protects against Temporary Elevated Cloud Access through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement protects against Use Alternate Authentication Material through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement protects against Application Access Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1550.002 | Pass the Hash |
Comments
This diagnostic statement protects against Pass the Hash through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1550.003 | Pass the Ticket |
Comments
This diagnostic statement protects against Pass the Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1552.001 | Credentials In Files |
Comments
This diagnostic statement protects against Credentials In Files through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1552.002 | Credentials in Registry |
Comments
This diagnostic statement protects against Credentials in Registry through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1552.004 | Private Keys |
Comments
This diagnostic statement protects against Private Keys through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1552.006 | Group Policy Preferences |
Comments
This diagnostic statement protects against Group Policy Preferences through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1552.007 | Container API |
Comments
This diagnostic statement protects against Container API through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1555 | Credentials from Password Stores |
Comments
This diagnostic statement protects against Credentials from Password Stores through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1555.001 | Keychain |
Comments
This diagnostic statement protects against Keychain through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1555.003 | Credentials from Web Browsers |
Comments
This diagnostic statement protects against Credentials from Web Browsers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement protects against Password Managers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1556 | Modify Authentication Process |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1556.001 | Domain Controller Authentication |
Comments
This diagnostic statement protects against Domain Controller Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1556.003 | Pluggable Authentication Modules |
Comments
This diagnostic statement protects against Pluggable Authentication Modules through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1556.004 | Network Device Authentication |
Comments
This diagnostic statement protects against Network Device Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1556.005 | Reversible Encryption |
Comments
This diagnostic statement protects against Reversible Encryption through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1556.006 | Multi-Factor Authentication |
Comments
This diagnostic statement protects against Multi-Factor Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement protects against Hybrid Identity through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1556.009 | Conditional Access Policies |
Comments
This diagnostic statement protects against Conditional Access Policies through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1558.001 | Golden Ticket |
Comments
This diagnostic statement protects against Golden Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement protects against Silver Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement protects against Kerberoasting through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1558.004 | AS-REP Roasting |
Comments
This diagnostic statement protects against AS-REP Roasting through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement protects against Impair Defenses through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1562.001 | Disable or Modify Tools |
Comments
This diagnostic statement protects against Disable or Modify Tools through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1562.002 | Disable Windows Event Logging |
Comments
This diagnostic statement protects against Disable Windows Event Logging through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1562.004 | Disable or Modify System Firewall |
Comments
This diagnostic statement protects against Disable or Modify System Firewall through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1562.006 | Indicator Blocking |
Comments
This diagnostic statement protects against Indicator Blocking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1562.007 | Disable or Modify Cloud Firewall |
Comments
This diagnostic statement protects against Disable or Modify Cloud Firewall through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1562.008 | Disable or Modify Cloud Logs |
Comments
This diagnostic statement protects against Disable or Modify Cloud Logs through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1562.012 | Disable or Modify Linux Audit System |
Comments
This diagnostic statement protects against Disable or Modify Linux Audit System through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1563 | Remote Service Session Hijacking |
Comments
This diagnostic statement protects against Remote Service Session Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1563.001 | SSH Hijacking |
Comments
This diagnostic statement protects against SSH Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement protects against RDP Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1566 | Phishing |
Comments
This diagnostic statement protects against Phishing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement protects against Spearphishing Attachment through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1566.002 | Spearphishing Link |
Comments
This diagnostic statement protects against Spearphishing Link through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1566.003 | Spearphishing via Service |
Comments
This diagnostic statement protects against Spearphishing via Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1569 | System Services |
Comments
This diagnostic statement protects against System Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1569.001 | Launchctl |
Comments
This diagnostic statement protects against Launchctl through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement protects against Hijack Execution Flow through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1574.005 | Executable Installer File Permissions Weakness |
Comments
This diagnostic statement protects against Executable Installer File Permissions Weakness through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1574.010 | Services File Permissions Weakness |
Comments
This diagnostic statement protects against Services File Permissions Weakness through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1574.012 | COR_PROFILER |
Comments
This diagnostic statement protects against COR_PROFILER through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1578 | Modify Cloud Compute Infrastructure |
Comments
This diagnostic statement protects against Modify Cloud Compute Infrastructure through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1578.001 | Create Snapshot |
Comments
This diagnostic statement protects against Create Snapshot through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1578.002 | Create Cloud Instance |
Comments
This diagnostic statement protects against Create Cloud Instance through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1578.003 | Delete Cloud Instance |
Comments
This diagnostic statement protects against Delete Cloud Instance through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1578.005 | Modify Cloud Compute Configurations |
Comments
This diagnostic statement protects against Modify Cloud Compute Configurations through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1580 | Cloud Infrastructure Discovery |
Comments
This diagnostic statement protects against Cloud Infrastructure Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1599 | Network Boundary Bridging |
Comments
This diagnostic statement protects against Network Boundary Bridging through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement protects against Network Address Translation Traversal through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1601 | Modify System Image |
Comments
This diagnostic statement protects against Modify System Image through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1601.001 | Patch System Image |
Comments
This diagnostic statement protects against Patch System Image through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1601.002 | Downgrade System Image |
Comments
This diagnostic statement protects against Downgrade System Image through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1606 | Forge Web Credentials |
Comments
This diagnostic statement protects against Forge Web Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1606.002 | SAML Tokens |
Comments
This diagnostic statement protects against SAML Tokens through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1609 | Container Administration Command |
Comments
This diagnostic statement protects against Container Administration Command through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1610 | Deploy Container |
Comments
This diagnostic statement protects against Deploy Container through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1613 | Container and Resource Discovery |
Comments
This diagnostic statement protects against Container and Resource Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1619 | Cloud Storage Object Discovery |
Comments
This diagnostic statement protects against Cloud Storage Object Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1621 | Multi-Factor Authentication Request Generation |
Comments
This diagnostic statement protects against Multi-Factor Authentication Request Generation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1648 | Serverless Execution |
Comments
This diagnostic statement protects against Serverless Execution through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1649 | Steal or Forge Authentication Certificates |
Comments
This diagnostic statement protects against Steal or Forge Authentication Certificates through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1654 | Log Enumeration |
Comments
This diagnostic statement protects against Log Enumeration through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1657 | Financial Theft |
Comments
This diagnostic statement protects against Financial Theft through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1666 | Modify Cloud Resource Hierarchy |
Comments
This diagnostic statement protects against Modify Cloud Resource Hierarchy through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1098.004 | SSH Authorized Keys |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the SSH Authorized Keys technique, restricting user and application access to the authorized_keys file can be a mitigating factor for adversaries attempting to modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the Unsecured Credentials technique, best practice dictates that when possible, store keys on separate cryptographic hardware instead of on the local system to mitigate data theft of credentials stored in unsecure locations.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1563.001 | SSH Hijacking |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standards, for the SSH Hijacking technique, consider that SSH key pairs possess strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1552.004 | Private Keys |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. When it comes to cryptography and key management standard as it applies to the Private Keys technique, when possible, consider storing keys on separate cryptographic hardware instead of on the local system. For example, on Windows systems use a TPM to secure keys and other sensitive credential material.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1558.004 | AS-REP Roasting |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets through AS-REP Roasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with kerberoasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1558.002 | Silver Ticket |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with silver tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1649 | Steal or Forge Authentication Certificates |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of authentication certificates, ensure certificates as well as associated private keys are appropriately secured.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1040 | Network Sniffing |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of network sniffing, ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1070.002 | Clear Linux or Mac System Logs |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the removal of Linux or Mac System Logs, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to windows event logs removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1070 | Indicator Removal |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to indicator removal techniques, obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1114.001 | Local Email Collection |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1114.002 | Remote Email Collection |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages. File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1114 | Email Collection |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to email collection, the use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1565.002 | Transmitted Data Manipulation |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to transmitted data manipulation, encrypt all important data flows to reduce the impact of tailored modifications on data in transit.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1565.001 | Stored Data Manipulation |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to stored data manipulation, consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1565 | Data Manipulation |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to data manipulation, consider encrypting important information to reduce an adversary’s ability to perform tailored data modifications.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1213 | Data from Information Repositories |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to data from information repositories, encrypt data stored at rest in databases.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of Network Device Configuration Dump, configure SNMPv3 to use the highest level of security (authPriv) available.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of SNMP (MIB Dump), configure SNMPv3 to use the highest level of security (authPriv) available.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats of data collection from configuration repository, configure SNMPv3 to use the highest level of security (authPriv) available.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address data collection from cloud storage, encrypt data stored at rest in cloud storage. Managed encryption keys can be rotated by most providers. At a minimum, ensure an incident response plan to storage breach includes rotating the keys and test for impact on client applications.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1659 | Content Injection |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Content Injection threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1020.001 | Traffic Duplication |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address Automated Exfiltration: Traffic Duplication threats, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1557.002 | ARP Cache Poisoning |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address ARP Cache Poisoning, ensure that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address adversary-in-the-middle threats, the organization ensures that all wired and wireless traffic is encrypted appropriately, employs best practices for authentication protocols such as Kerberos, and protects web traffic containing credentials using SSL/TLS.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1021 | Remote Services |
Comments
This diagnostic statement protects against Remote Services through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1021.001 | Remote Desktop Protocol |
Comments
This diagnostic statement protects against Remote Desktop Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
This diagnostic statement protects against SMB/Windows Admin Shares through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1021.005 | VNC |
Comments
This diagnostic statement protects against VNC through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027 | Obfuscated Files or Information |
Comments
This diagnostic statement protects against Obfuscated Files or Information through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.002 | Software Packing |
Comments
This diagnostic statement protects against Software Packing through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.009 | Embedded Payloads |
Comments
This diagnostic statement protects against Embedded Payloads through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.010 | Command Obfuscation |
Comments
This diagnostic statement protects against Command Obfuscation through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.012 | LNK Icon Smuggling |
Comments
This diagnostic statement protects against LNK Icon Smuggling through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.013 | Encrypted/Encoded File |
Comments
This diagnostic statement protects against Encrypted/Encoded File through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1027.014 | Polymorphic Code |
Comments
This diagnostic statement protects against Polymorphic Code through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1036 | Masquerading |
Comments
This diagnostic statement protects against Masquerading through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1036.008 | Masquerade File Type |
Comments
This diagnostic statement protects against Masquerade File Type through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1048 | Exfiltration Over Alternative Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Symmetric Encrypted Non-C2 Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Asymmetric Encrypted Non-C2 Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
Comments
This diagnostic statement protects against Exfiltration Over Unencrypted Non-C2 Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1052 | Exfiltration Over Physical Medium |
Comments
This diagnostic statement protects against Exfiltration Over Physical Medium through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1052.001 | Exfiltration over USB |
Comments
This diagnostic statement protects against Exfiltration over USB through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059 | Command and Scripting Interpreter |
Comments
This diagnostic statement protects against Command and Scripting Interpreter through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059.001 | PowerShell |
Comments
This diagnostic statement protects against PowerShell through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059.005 | Visual Basic |
Comments
This diagnostic statement protects against Visual Basic through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1059.006 | Python |
Comments
This diagnostic statement protects against Python through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1071 | Application Layer Protocol |
Comments
This diagnostic statement protects against Application Layer Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1071.004 | DNS |
Comments
This diagnostic statement protects against DNS through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1071.005 | Publish/Subscribe Protocols |
Comments
This diagnostic statement protects against Publish/Subscribe Protocols through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1080 | Taint Shared Content |
Comments
This diagnostic statement protects against Taint Shared Content through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1090 | Proxy |
Comments
This diagnostic statement protects against Proxy through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1090.003 | Multi-hop Proxy |
Comments
This diagnostic statement protects against Multi-hop Proxy through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1091 | Replication Through Removable Media |
Comments
This diagnostic statement protects against Replication Through Removable Media through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1095 | Non-Application Layer Protocol |
Comments
This diagnostic statement protects against Non-Application Layer Protocol through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1133 | External Remote Services |
Comments
This diagnostic statement protects against External Remote Services through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1187 | Forced Authentication |
Comments
This diagnostic statement protects against Forced Authentication through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This diagnostic statement protects against Exploit Public-Facing Application through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1197 | BITS Jobs |
Comments
This diagnostic statement protects against BITS Jobs through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1200 | Hardware Additions |
Comments
This diagnostic statement protects against Hardware Additions through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1205 | Traffic Signaling |
Comments
This diagnostic statement protects against Traffic Signaling through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1205.001 | Port Knocking |
Comments
This diagnostic statement protects against Port Knocking through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1205.002 | Socket Filters |
Comments
This diagnostic statement protects against Socket Filters through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement protects against System Binary Proxy Execution through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1218.012 | Verclsid |
Comments
This diagnostic statement protects against Verclsid through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1219 | Remote Access Software |
Comments
This diagnostic statement protects against Remote Access Software through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1221 | Template Injection |
Comments
This diagnostic statement protects against Template Injection through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1498 | Network Denial of Service |
Comments
This diagnostic statement protects against Network Denial of Service through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1498.001 | Direct Network Flood |
Comments
This diagnostic statement protects against Direct Network Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1498.002 | Reflection Amplification |
Comments
This diagnostic statement protects against Reflection Amplification through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1499 | Endpoint Denial of Service |
Comments
This diagnostic statement protects against Endpoint Denial of Service through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1499.001 | OS Exhaustion Flood |
Comments
This diagnostic statement protects against OS Exhaustion Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1499.002 | Service Exhaustion Flood |
Comments
This diagnostic statement protects against Service Exhaustion Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1499.003 | Application Exhaustion Flood |
Comments
This diagnostic statement protects against Application Exhaustion Flood through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1499.004 | Application or System Exploitation |
Comments
This diagnostic statement protects against Application or System Exploitation through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1530 | Data from Cloud Storage |
Comments
This diagnostic statement protects against Data from Cloud Storage through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1537 | Transfer Data to Cloud Account |
Comments
This diagnostic statement protects against Transfer Data to Cloud Account through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement protects against Pre-OS Boot through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1542.005 | TFTP Boot |
Comments
This diagnostic statement protects against TFTP Boot through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1546 | Event Triggered Execution |
Comments
This diagnostic statement protects against Event Triggered Execution through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1546.008 | Accessibility Features |
Comments
This diagnostic statement protects against Accessibility Features through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1547 | Boot or Logon Autostart Execution |
Comments
This diagnostic statement protects against Boot or Logon Autostart Execution through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1547.006 | Kernel Modules and Extensions |
Comments
This diagnostic statement protects against Kernel Modules and Extensions through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1552 | Unsecured Credentials |
Comments
This diagnostic statement protects against Unsecured Credentials through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1552.005 | Cloud Instance Metadata API |
Comments
This diagnostic statement protects against Cloud Instance Metadata API through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1552.007 | Container API |
Comments
This diagnostic statement protects against Container API through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1557 | Adversary-in-the-Middle |
Comments
This diagnostic statement protects against Adversary-in-the-Middle through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Comments
This diagnostic statement protects against LLMNR/NBT-NS Poisoning and SMB Relay through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1557.002 | ARP Cache Poisoning |
Comments
This diagnostic statement protects against ARP Cache Poisoning through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1557.003 | DHCP Spoofing |
Comments
This diagnostic statement protects against DHCP Spoofing through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1563 | Remote Service Session Hijacking |
Comments
This diagnostic statement protects against Remote Service Session Hijacking through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1563.002 | RDP Hijacking |
Comments
This diagnostic statement protects against RDP Hijacking through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1564 | Hide Artifacts |
Comments
This diagnostic statement protects against Hide Artifacts through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1564.012 | File/Path Exclusions |
Comments
This diagnostic statement protects against File/Path Exclusions through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement protects against Spearphishing Attachment through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1566.003 | Spearphishing via Service |
Comments
This diagnostic statement protects against Spearphishing via Service through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1570 | Lateral Tool Transfer |
Comments
This diagnostic statement protects against Lateral Tool Transfer through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1572 | Protocol Tunneling |
Comments
This diagnostic statement protects against Protocol Tunneling through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1599 | Network Boundary Bridging |
Comments
This diagnostic statement protects against Network Boundary Bridging through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1599.001 | Network Address Translation Traversal |
Comments
This diagnostic statement protects against Network Address Translation Traversal through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement protects against Data from Configuration Repository through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement protects against SNMP (MIB Dump) through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement protects against Network Device Configuration Dump through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1609 | Container Administration Command |
Comments
This diagnostic statement protects against Container Administration Command through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1610 | Deploy Container |
Comments
This diagnostic statement protects against Deploy Container through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1612 | Build Image on Host |
Comments
This diagnostic statement protects against Build Image on Host through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1613 | Container and Resource Discovery |
Comments
This diagnostic statement protects against Container and Resource Discovery through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1212 | Exploitation for Credential Access |
Comments
This diagnostic statement protects against Exploitation for Credential Access through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1564 | Hide Artifacts |
Comments
This diagnostic statement protects against Hide Artifacts through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1564.009 | Resource Forking |
Comments
This diagnostic statement protects against Resource Forking through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1564.012 | File/Path Exclusions |
Comments
This diagnostic statement protects against File/Path Exclusions through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement protects against Hijack Execution Flow through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1574.001 | DLL Search Order Hijacking |
Comments
This diagnostic statement protects against DLL Search Order Hijacking through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1559 | Inter-Process Communication |
Comments
This diagnostic statement protects against Inter-Process Communication through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1559.003 | XPC Services |
Comments
This diagnostic statement protects against XPC Services through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1647 | Plist File Modification |
Comments
This diagnostic statement protects against Plist File Modification through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1496 | Resource Hijacking |
Comments
This diagnostic statement protects against Resource Hijacking through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1496.003 | SMS Pumping |
Comments
This diagnostic statement protects against SMS Pumping through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1593 | Search Open Websites/Domains |
Comments
This diagnostic statement protects against Search Open Websites/Domains through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1593.003 | Code Repositories |
Comments
This diagnostic statement protects against Code Repositories through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1195 | Supply Chain Compromise |
Comments
This diagnostic statement protects against Supply Chain Compromise through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement protects against Compromise Software Dependencies and Development Tools through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1550 | Use Alternate Authentication Material |
Comments
This diagnostic statement protects against Use Alternate Authentication Material through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1550.001 | Application Access Token |
Comments
This diagnostic statement protects against Application Access Token through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1078 | Valid Accounts |
Comments
This diagnostic statement protects against Valid Accounts through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
|
