CRI Profile Protect: Identity Management, Authentication, Access Control Capability Group

This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets.

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions.

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions.

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Set service account access restrictions to grant only the minimum necessary permissions to mitigate abuse of inter-process communication (IPC) mechanisms.

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via remote services that use service accounts.

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via cloud services service accounts.

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Block the SMB/Windows Admin Shares service account to mitigate exploitation.

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via the WinRM service account.

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Use least privilege for service accounts to limit what permissions the exploited process gets on the rest of the system.

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Restrict administrative privileges to mitigate this technique.

This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Conditional access policies can be used to block logins from non-compliant devices or from outside defined IP ranges.

This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks.

This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks.

This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks.

This diagnostic statement protects against DCSync through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Proc Filesystem through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against /etc/passwd and /etc/shadow through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Remote Services through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Remote Desktop Protocol through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against SMB/Windows Admin Shares through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Distributed Component Object Model through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against SSH through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Windows Remote Management through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Cloud Services through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Network Sniffing through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Windows Management Instrumentation through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Scheduled Task/Job through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against At through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Scheduled Task through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Systemd Timers through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Container Orchestration Job through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Process Injection through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Ptrace System Calls through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Input Capture through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Web Portal Capture through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Command and Scripting Interpreter through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against PowerShell through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Network Device CLI through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Cloud API through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Software Deployment Tools through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Valid Accounts through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Default Accounts through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Domain Accounts through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Local Accounts through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Cloud Accounts through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Account Manipulation through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Additional Cloud Credentials through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Additional Email Delegate Permissions through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Additional Cloud Roles through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Device Registration through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Additional Container Cluster Roles through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Brute Force through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Password Guessing through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Password Cracking through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Password Spraying through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Credential Stuffing through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Email Collection through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Remote Email Collection through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against External Remote Services through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Access Token Manipulation through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Token Impersonation/Theft through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Create Process with Token through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Make and Impersonate Token through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Create Account through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Local Account through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Domain Account through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Cloud Account through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Exploit Public-Facing Application through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Trusted Relationship through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Exploitation of Remote Services through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Data from Information Repositories through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Code Repositories through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against System Binary Proxy Execution through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Msiexec through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Windows File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Linux and Mac File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Domain or Tenant Policy Modification through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Trust Modification through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Data Destruction through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Firmware Corruption through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Server Software Component through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against SQL Stored Procedures through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Transport Agent through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against IIS Components through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Implant Internal Image through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Data from Cloud Storage through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Steal Web Session Cookie through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Pre-OS Boot through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against System Firmware through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Bootkit through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against TFTP Boot through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Create or Modify System Process through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Systemd Service through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Event Triggered Execution through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Windows Management Instrumentation Event Subscription through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Boot or Logon Autostart Execution through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Kernel Modules and Extensions through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Abuse Elevation Control Mechanism through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Bypass User Account Control through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Sudo and Sudo Caching through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against TCC Manipulation through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Use Alternate Authentication Material through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Pass the Hash through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Pass the Ticket through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Unsecured Credentials through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Credentials in Registry through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Container API through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Subvert Trust Controls through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Code Signing Policy Modification through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Credentials from Password Stores through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Cloud Secrets Management Stores through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Modify Authentication Process through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Domain Controller Authentication through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Pluggable Authentication Modules through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Network Device Authentication through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Reversible Encryption through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Multi-Factor Authentication through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Hybrid Identity through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Golden Ticket through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Silver Ticket through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Kerberoasting through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Inter-Process Communication through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Component Object Model through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Impair Defenses through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Safe Mode Boot through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Remote Service Session Hijacking through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against SSH Hijacking through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against RDP Hijacking through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against System Services through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Service Execution through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Network Boundary Bridging through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Network Address Translation Traversal through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Modify System Image through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Patch System Image through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Downgrade System Image through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Forge Web Credentials through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against SAML Tokens through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Container Administration Command through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Escape to Host through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Build Image on Host through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Multi-Factor Authentication Request Generation through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Cloud Administration Command through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing control limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally in the cloud environment.

This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally.

This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally.

This diagnostic statement provides protection from Remote Services through the implementation of authentication and identity management controls to limit lateral movement. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to move laterally.

This diagnostic statement provides protection from Modify Authentication Process through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify credentials.

This diagnostic statement provides protection from Modify Authentication Process through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify credentials.

This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials.

This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials.

This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials.

This diagnostic statement provides protection from Brute Force through the implementation of authentication controls and privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to brute force credentials.

This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.

This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.

This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.

This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.

This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.

This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.

This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.

This diagnostic statement provides protection from Compromise Accounts through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.

This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.

This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.

This diagnostic statement provides protection from Valid Accounts through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, provisioning accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to use default accounts.

This diagnostic statement provides protection from Create Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to create accounts.

This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.

This diagnostic statement provides protection from Valid Accounts through the implementation of privileged account management controls to limit account access. Employing limitations to specific accounts, provisioning accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to use existing accounts.

This diagnostic statement provides protection from Abuse Elevation Control Mechanism through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts such as removing accounts from the Adminstrators group, access control mechanisms, and auditing the attribution logs provides some protection against adversaries attempting to abuse the elevation control mechanism.

This diagnostic statement provides protection from Data Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify data without being observed.

This diagnostic statement provides protection from Data from Information Repositories through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to access sensitive data in information repositories.

This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.

This diagnostic statement provides protection from Cloud Account through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.

This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as encryption is recommended to minimize the risk of adversaries collecting user's credentials via email forwarding rules to collect credentials and other sensitive information.

This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as encryption and MFA are recommended to minimize the risk of adversaries collecting user's credentials via exchange servers from within a network.

This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as encryption and using public cryptic keys are recommended to minimize the risk of adversaries collecting information from files saved on email servers and caches.

This diagnostic statement provides protection from adversaries that try to gain sensitive information and data from users via email. Utilizing methods such as MFA is recommended to minimize the risk of adversaries collecting usernames and passwords.

This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send phishing messages through the form of emails, instant messages, etc. to gain sensitive information.

This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious attachment to gain elicit sensitive information.

This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious link to gain elicit sensitive information.

This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious link.

This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious attachment.

This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys associated with COR_PROFILER.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limit permissions associated with creating and modifying platform images or containers based on the principle of least privilege

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Use the principal of least privilege and protect administrative access to domain trusts and identity tenants.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limiting access to file shares, remote access to systems, unnecessary services.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Establish network access control policies, such as using device certificates and the 802.1x standard. Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Limiting users' access to resources over network can help mitigate these techniques. Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions.

This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper Registry permissions are in place to prevent unnecessary users and adversaries from disabling or interfering with security/logging services.

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Protect administrative access to domain trusts and identity tenants to mitigate this technique.

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize service account permissions and access for the service to mitigate exploitation via Distributed Component Object Model (DCOM).

This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets.

This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets.

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems), such as granting service accounts only the minimum necessary permissions.

This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems).

This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets.

This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems). Minimize permissions and access for service accounts to mitigate this technique.

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Set service account access restrictions to grant only the minimum necessary permissions to mitigate abuse of inter-process communication (IPC) mechanisms.

This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems).

This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Minimize permissions and access for service accounts to limit impact of exploitation.

This diagnostic statement describes how the organization establishes security standards based on industry guidelines to institute strict controls over service account (i.e., accounts used by systems to access other systems).

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.

This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Conditional access policies can be used to block logins from non-compliant devices or from outside defined IP ranges.

This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Enforcing third-party account use policies to include account lockout policies after a certain number of failed login attempts mitigates the risk of brute-force attacks.

This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party or if the party is compromised by an adversary.

This diagnostic statement protects against OS Credential Dumping through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against LSASS Memory through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Security Account Manager through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against NTDS through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against LSA Secrets through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Cached Domain Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against DCSync through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Proc Filesystem through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against /etc/passwd and /etc/shadow through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Direct Volume Access through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Traffic Duplication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Remote Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Remote Desktop Protocol through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against SMB/Windows Admin Shares through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against SSH through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Cloud Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Direct Cloud VM Connections through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Masquerading through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Masquerade Account Name through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Network Sniffing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Windows Management Instrumentation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Exfiltration Over Alternative Protocol through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Scheduled Task/Job through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against At through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Cron through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Scheduled Task through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Systemd Timers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Container Orchestration Job through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Command and Scripting Interpreter through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Network Device CLI through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Software Deployment Tools through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Valid Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Default Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Domain Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Local Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Cloud Accounts through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Account Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Account Manipulation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Additional Cloud Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Additional Email Delegate Permissions through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Additional Cloud Roles through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against SSH Authorized Keys through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Device Registration through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Additional Container Cluster Roles through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Brute Force through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Password Guessing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Password Cracking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Password Spraying through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Credential Stuffing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Email Collection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Remote Email Collection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against External Remote Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Access Token Manipulation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Token Impersonation/Theft through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Create Process with Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Make and Impersonate Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against SID-History Injection through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Create Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Local Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Domain Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Browser Session Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Forced Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Supply Chain Compromise through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against BITS Jobs through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Trusted Relationship through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Password Policy Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Data from Information Repositories through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Confluence through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Sharepoint through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Code Repositories through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Customer Relationship Management Software through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Domain or Tenant Policy Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Group Policy Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Trust Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Data Destruction through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Lifecycle-Triggered Deletion through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Service Stop through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Inhibit System Recovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Server Software Component through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Web Shell through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Steal Application Access Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Data from Cloud Storage through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Transfer Data to Cloud Account through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Cloud Service Dashboard through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Steal Web Session Cookie through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Create or Modify System Process through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Systemd Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Windows Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Launch Daemon through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Container Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Event Triggered Execution through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Windows Management Instrumentation Event Subscription through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Application Shimming through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Boot or Logon Autostart Execution through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Winlogon Helper DLL through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Kernel Modules and Extensions through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Shortcut Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Print Processors through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against XDG Autostart Entries through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Abuse Elevation Control Mechanism through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Bypass User Account Control through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Temporary Elevated Cloud Access through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Use Alternate Authentication Material through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Application Access Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Pass the Hash through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Pass the Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Unsecured Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Credentials In Files through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Credentials in Registry through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Private Keys through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Group Policy Preferences through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Container API through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Credentials from Password Stores through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Keychain through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Credentials from Web Browsers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Password Managers through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Modify Authentication Process through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Domain Controller Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Pluggable Authentication Modules through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Network Device Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Reversible Encryption through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Multi-Factor Authentication through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Hybrid Identity through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Conditional Access Policies through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Golden Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Silver Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Kerberoasting through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against AS-REP Roasting through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Impair Defenses through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Disable or Modify Tools through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Disable Windows Event Logging through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Disable or Modify System Firewall through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Indicator Blocking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Disable or Modify Cloud Firewall through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Disable or Modify Cloud Logs through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Disable or Modify Linux Audit System through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Remote Service Session Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against SSH Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against RDP Hijacking through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Phishing through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Spearphishing Attachment through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Spearphishing Link through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Spearphishing via Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against System Services through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Launchctl through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Hijack Execution Flow through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Executable Installer File Permissions Weakness through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Services File Permissions Weakness through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against COR_PROFILER through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Modify Cloud Compute Infrastructure through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Create Snapshot through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Create Cloud Instance through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Delete Cloud Instance through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Modify Cloud Compute Configurations through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Cloud Infrastructure Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Network Boundary Bridging through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Network Address Translation Traversal through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Modify System Image through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Patch System Image through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Downgrade System Image through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Forge Web Credentials through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against SAML Tokens through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Container Administration Command through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Deploy Container through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Container and Resource Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Cloud Storage Object Discovery through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Multi-Factor Authentication Request Generation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Serverless Execution through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Steal or Forge Authentication Certificates through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Log Enumeration through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Financial Theft through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Modify Cloud Resource Hierarchy through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.