GCP MAPPINGS

Google Cloud Platform (GCP) is a widely used cloud computing platform. This project maps the security controls native to the GCP platform to MITRE ATT&CK® providing resources to assess how to protect, detect, and respond to real-world threats as described in the ATT&CK knowledge base.

ATT&CK Versions: 10.0 ATT&CK Domain: Enterprise

Security Stack Mapping Methodology

Capability Groups

ID Capability Group Name Number of Mappings Number of Capabilities
virus_total Virus Total 5 1
confidential_vm_and_compute_engine Confidential VM and Compute Engine 1 1
cloud_hardware_security_module_(hsm) Cloud Hardware Security Module (HSM) 7 1
certificate_authority_service Certificate Authority Service 1 1
cloud_asset_inventory Cloud Asset Inventory 4 1
identity_aware_proxy Identity Aware Proxy 7 1
artifact_registry Artifact Registry 9 1
google_kubernetes_engine Google Kubernetes Engine 7 1
cloud_ids Cloud IDS 19 1
resourcemanager ResourceManager 17 1
actifio_go Actifio Go 9 1
identityplatform IdentityPlatform 26 1
anthosconfigmanagement AnthosConfigManagement 10 1
web_risk Web Risk 4 1
cloud_cdn Cloud CDN 1 1
beyondcorp_enterprise BeyondCorp Enterprise 10 1
cloud_identity Cloud Identity 12 1
cloud_armor Cloud Armor 6 1
endpoint_management Endpoint Management 4 1
cloudvpn CloudVPN 6 1
cloud_key_management Cloud Key Management 10 1
titan_security_key Titan Security Key 1 1
chronicle Chronicle 106 1
access_transparency Access Transparency 2 1
shielded_vm Shielded VM 2 1
firewalls Firewalls 22 1
security_command_center Security Command Center 30 1
cloud_storage Cloud Storage 4 1
cloud_data_loss_prevention Cloud Data Loss Prevention 1 1
binary_authorization Binary Authorization 8 1
advancedprotectionprogram AdvancedProtectionProgram 14 1
secret_manager Secret Manager 4 1
virtual_private_cloud Virtual Private Cloud 15 1
policy_intelligence Policy Intelligence 18 1
recaptcha_enterprise ReCAPTCHA Enterprise 3 1
vpc_service_controls VPC Service Controls 5 1
identity_and_access_management Identity and Access Management 10 1
vmmanager VMManager 7 1
container_registry Container Registry 5 1

All Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name
virus_total Virus Total protect significant T1566 Phishing
virus_total Virus Total protect partial T1566.001 Spearphishing Attachment
virus_total Virus Total protect significant T1059 Command and Scripting Interpreter
virus_total Virus Total protect significant T1598.003 Spearphishing Link
virus_total Virus Total protect significant T1566.002 Spearphishing Link
confidential_vm_and_compute_engine Confidential VM and Compute Engine protect significant T1565.003 Runtime Data Manipulation
cloud_hardware_security_module_(hsm) Cloud Hardware Security Module (HSM) protect partial T1552 Unsecured Credentials
cloud_hardware_security_module_(hsm) Cloud Hardware Security Module (HSM) protect partial T1553 Subvert Trust Controls
cloud_hardware_security_module_(hsm) Cloud Hardware Security Module (HSM) protect partial T1588.003 Code Signing Certificates
cloud_hardware_security_module_(hsm) Cloud Hardware Security Module (HSM) protect partial T1588.004 Digital Certificates
cloud_hardware_security_module_(hsm) Cloud Hardware Security Module (HSM) protect partial T1552.004 Private Keys
cloud_hardware_security_module_(hsm) Cloud Hardware Security Module (HSM) protect partial T1552.001 Credentials In Files
cloud_hardware_security_module_(hsm) Cloud Hardware Security Module (HSM) protect partial T1588 Obtain Capabilities
certificate_authority_service Certificate Authority Service protect minimal T1040 Network Sniffing
cloud_asset_inventory Cloud Asset Inventory detect partial T1098 Account Manipulation
cloud_asset_inventory Cloud Asset Inventory detect partial T1098.001 Additional Cloud Credentials
cloud_asset_inventory Cloud Asset Inventory detect partial T1078 Valid Accounts
cloud_asset_inventory Cloud Asset Inventory detect partial T1078.004 Cloud Accounts
identity_aware_proxy Identity Aware Proxy protect minimal T1550.001 Application Access Token
identity_aware_proxy Identity Aware Proxy protect minimal T1528 Steal Application Access Token
identity_aware_proxy Identity Aware Proxy detect partial T1528 Steal Application Access Token
identity_aware_proxy Identity Aware Proxy detect minimal T1098.001 Additional Cloud Credentials
identity_aware_proxy Identity Aware Proxy protect partial T1078 Valid Accounts
identity_aware_proxy Identity Aware Proxy protect partial T1078.004 Cloud Accounts
identity_aware_proxy Identity Aware Proxy protect partial T1190 Exploit Public-Facing Application
artifact_registry Artifact Registry protect partial T1190 Exploit Public-Facing Application
artifact_registry Artifact Registry protect partial T1068 Exploitation for Privilege Escalation
artifact_registry Artifact Registry protect partial T1203 Exploitation for Client Execution
artifact_registry Artifact Registry protect partial T1210 Exploitation of Remote Services
artifact_registry Artifact Registry protect partial T1525 Implant Internal Image
artifact_registry Artifact Registry protect partial T1610 Deploy Container
artifact_registry Artifact Registry protect minimal T1072 Software Deployment Tools
artifact_registry Artifact Registry protect partial T1211 Exploitation for Defense Evasion
artifact_registry Artifact Registry detect significant T1212 Exploitation for Credential Access
google_kubernetes_engine Google Kubernetes Engine protect partial T1613 Container and Resource Discovery
google_kubernetes_engine Google Kubernetes Engine protect partial T1611 Escape to Host
google_kubernetes_engine Google Kubernetes Engine detect partial T1611 Escape to Host
google_kubernetes_engine Google Kubernetes Engine protect partial T1610 Deploy Container
google_kubernetes_engine Google Kubernetes Engine protect partial T1053.007 Container Orchestration Job
google_kubernetes_engine Google Kubernetes Engine protect partial T1609 Container Administration Command
google_kubernetes_engine Google Kubernetes Engine detect partial T1525 Implant Internal Image
cloud_ids Cloud IDS detect significant T1137 Office Application Startup
cloud_ids Cloud IDS detect significant T1546.006 LC_LOAD_DYLIB Addition
cloud_ids Cloud IDS detect significant T1204.002 Malicious File
cloud_ids Cloud IDS detect significant T1055.002 Portable Executable Injection
cloud_ids Cloud IDS detect significant T1221 Template Injection
cloud_ids Cloud IDS detect significant T1505.003 Web Shell
cloud_ids Cloud IDS detect significant T1204.003 Malicious Image
cloud_ids Cloud IDS detect significant T1048 Exfiltration Over Alternative Protocol
cloud_ids Cloud IDS detect significant T1041 Exfiltration Over C2 Channel
cloud_ids Cloud IDS detect significant T1567 Exfiltration Over Web Service
cloud_ids Cloud IDS detect significant T1567.002 Exfiltration to Cloud Storage
cloud_ids Cloud IDS detect significant T1020 Automated Exfiltration
cloud_ids Cloud IDS detect significant T1110 Brute Force
cloud_ids Cloud IDS detect significant T1499 Endpoint Denial of Service
cloud_ids Cloud IDS detect significant T1499.003 Application Exhaustion Flood
cloud_ids Cloud IDS detect significant T1190 Exploit Public-Facing Application
cloud_ids Cloud IDS detect significant T1566.002 Spearphishing Link
cloud_ids Cloud IDS detect significant T1137.006 Add-ins
cloud_ids Cloud IDS detect significant T1137.001 Office Template Macros
resourcemanager ResourceManager protect significant T1580 Cloud Infrastructure Discovery
resourcemanager ResourceManager detect minimal T1580 Cloud Infrastructure Discovery
resourcemanager ResourceManager protect partial T1562 Impair Defenses
resourcemanager ResourceManager protect partial T1562.007 Disable or Modify Cloud Firewall
resourcemanager ResourceManager detect partial T1562.007 Disable or Modify Cloud Firewall
resourcemanager ResourceManager protect partial T1562.008 Disable Cloud Logs
resourcemanager ResourceManager detect minimal T1087 Account Discovery
resourcemanager ResourceManager protect minimal T1087.004 Cloud Account
resourcemanager ResourceManager detect minimal T1087.004 Cloud Account
resourcemanager ResourceManager protect partial T1613 Container and Resource Discovery
resourcemanager ResourceManager protect minimal T1552.007 Container API
resourcemanager ResourceManager protect minimal T1098 Account Manipulation
resourcemanager ResourceManager protect minimal T1098.001 Additional Cloud Credentials
resourcemanager ResourceManager protect minimal T1078 Valid Accounts
resourcemanager ResourceManager protect minimal T1078.004 Cloud Accounts
resourcemanager ResourceManager protect partial T1562.001 Disable or Modify Tools
resourcemanager ResourceManager protect partial T1562.002 Disable Windows Event Logging
actifio_go Actifio Go respond significant T1565 Data Manipulation
actifio_go Actifio Go protect minimal T1040 Network Sniffing
actifio_go Actifio Go protect partial T1552 Unsecured Credentials
actifio_go Actifio Go protect partial T1110 Brute Force
actifio_go Actifio Go respond significant T1485 Data Destruction
actifio_go Actifio Go respond significant T1486 Data Encrypted for Impact
actifio_go Actifio Go respond significant T1491 Defacement
actifio_go Actifio Go respond significant T1561 Disk Wipe
actifio_go Actifio Go respond significant T1490 Inhibit System Recovery
identityplatform IdentityPlatform protect significant T1098 Account Manipulation
identityplatform IdentityPlatform protect significant T1098.001 Additional Cloud Credentials
identityplatform IdentityPlatform protect significant T1110 Brute Force
identityplatform IdentityPlatform protect significant T1110.001 Password Guessing
identityplatform IdentityPlatform protect significant T1110.002 Password Cracking
identityplatform IdentityPlatform protect partial T1078 Valid Accounts
identityplatform IdentityPlatform protect partial T1078.004 Cloud Accounts
identityplatform IdentityPlatform protect partial T1078.003 Local Accounts
identityplatform IdentityPlatform protect significant T1110.003 Password Spraying
identityplatform IdentityPlatform protect significant T1136 Create Account
identityplatform IdentityPlatform protect significant T1136.003 Cloud Account
identityplatform IdentityPlatform protect partial T1087 Account Discovery
identityplatform IdentityPlatform protect partial T1087.004 Cloud Account
identityplatform IdentityPlatform protect partial T1580 Cloud Infrastructure Discovery
identityplatform IdentityPlatform protect minimal T1528 Steal Application Access Token
identityplatform IdentityPlatform protect minimal T1550 Use Alternate Authentication Material
identityplatform IdentityPlatform protect minimal T1550.001 Application Access Token
identityplatform IdentityPlatform protect minimal T1562 Impair Defenses
identityplatform IdentityPlatform protect minimal T1562.008 Disable Cloud Logs
identityplatform IdentityPlatform protect minimal T1556 Modify Authentication Process
identityplatform IdentityPlatform protect partial T1087.002 Domain Account
identityplatform IdentityPlatform protect significant T1098.002 Exchange Email Delegate Permissions
identityplatform IdentityPlatform protect significant T1098.003 Add Office 365 Global Administrator Role
identityplatform IdentityPlatform protect significant T1098.004 SSH Authorized Keys
identityplatform IdentityPlatform protect significant T1136.001 Local Account
identityplatform IdentityPlatform protect significant T1136.002 Domain Account
anthosconfigmanagement AnthosConfigManagement protect partial T1552.007 Container API
anthosconfigmanagement AnthosConfigManagement protect partial T1525 Implant Internal Image
anthosconfigmanagement AnthosConfigManagement detect partial T1525 Implant Internal Image
anthosconfigmanagement AnthosConfigManagement protect partial T1609 Container Administration Command
anthosconfigmanagement AnthosConfigManagement protect partial T1610 Deploy Container
anthosconfigmanagement AnthosConfigManagement protect significant T1613 Container and Resource Discovery
anthosconfigmanagement AnthosConfigManagement protect partial T1611 Escape to Host
anthosconfigmanagement AnthosConfigManagement protect partial T1078 Valid Accounts
anthosconfigmanagement AnthosConfigManagement protect partial T1078.001 Default Accounts
anthosconfigmanagement AnthosConfigManagement protect partial T1078.004 Cloud Accounts
web_risk Web Risk protect partial T1566 Phishing
web_risk Web Risk protect partial T1598 Phishing for Information
web_risk Web Risk protect partial T1204.001 Malicious Link
web_risk Web Risk protect partial T1598.003 Spearphishing Link
cloud_cdn Cloud CDN protect partial T1498 Network Denial of Service
beyondcorp_enterprise BeyondCorp Enterprise protect significant T1048 Exfiltration Over Alternative Protocol
beyondcorp_enterprise BeyondCorp Enterprise protect significant T1567 Exfiltration Over Web Service
beyondcorp_enterprise BeyondCorp Enterprise protect significant T1567.002 Exfiltration to Cloud Storage
beyondcorp_enterprise BeyondCorp Enterprise protect partial T1133 External Remote Services
beyondcorp_enterprise BeyondCorp Enterprise protect partial T1189 Drive-by Compromise
beyondcorp_enterprise BeyondCorp Enterprise detect minimal T1566.001 Spearphishing Attachment
beyondcorp_enterprise BeyondCorp Enterprise protect significant T1566 Phishing
beyondcorp_enterprise BeyondCorp Enterprise detect significant T1566 Phishing
beyondcorp_enterprise BeyondCorp Enterprise detect significant T1071.001 Web Protocols
beyondcorp_enterprise BeyondCorp Enterprise protect significant T1530 Data from Cloud Storage Object
cloud_identity Cloud Identity protect significant T1110 Brute Force
cloud_identity Cloud Identity protect significant T1110.003 Password Spraying
cloud_identity Cloud Identity protect partial T1078 Valid Accounts
cloud_identity Cloud Identity protect partial T1078.004 Cloud Accounts
cloud_identity Cloud Identity protect significant T1110.001 Password Guessing
cloud_identity Cloud Identity protect significant T1110.002 Password Cracking
cloud_identity Cloud Identity protect significant T1110.004 Credential Stuffing
cloud_identity Cloud Identity protect partial T1078.002 Domain Accounts
cloud_identity Cloud Identity detect minimal T1021.004 SSH
cloud_identity Cloud Identity protect partial T1213.003 Code Repositories
cloud_identity Cloud Identity protect partial T1213 Data from Information Repositories
cloud_identity Cloud Identity protect minimal T1133 External Remote Services
cloud_armor Cloud Armor protect partial T1090 Proxy
cloud_armor Cloud Armor protect significant T1190 Exploit Public-Facing Application
cloud_armor Cloud Armor protect significant T1498 Network Denial of Service
cloud_armor Cloud Armor protect significant T1499 Endpoint Denial of Service
cloud_armor Cloud Armor protect partial T1018 Remote System Discovery
cloud_armor Cloud Armor protect partial T1046 Network Service Scanning
endpoint_management Endpoint Management protect partial T1110 Brute Force
endpoint_management Endpoint Management respond partial T1078 Valid Accounts
endpoint_management Endpoint Management protect partial T1052.001 Exfiltration over USB
endpoint_management Endpoint Management protect partial T1567.002 Exfiltration to Cloud Storage
cloudvpn CloudVPN protect significant T1040 Network Sniffing
cloudvpn CloudVPN protect significant T1557 Adversary-in-the-Middle
cloudvpn CloudVPN protect partial T1565 Data Manipulation
cloudvpn CloudVPN protect partial T1565.002 Transmitted Data Manipulation
cloudvpn CloudVPN protect partial T1557.002 ARP Cache Poisoning
cloudvpn CloudVPN protect partial T1133 External Remote Services
cloud_key_management Cloud Key Management protect minimal T1552 Unsecured Credentials
cloud_key_management Cloud Key Management protect significant T1552.005 Cloud Instance Metadata API
cloud_key_management Cloud Key Management protect partial T1588 Obtain Capabilities
cloud_key_management Cloud Key Management protect significant T1553 Subvert Trust Controls
cloud_key_management Cloud Key Management protect partial T1555 Credentials from Password Stores
cloud_key_management Cloud Key Management protect partial T1528 Steal Application Access Token
cloud_key_management Cloud Key Management protect partial T1588.003 Code Signing Certificates
cloud_key_management Cloud Key Management protect partial T1588.004 Digital Certificates
cloud_key_management Cloud Key Management protect minimal T1552.001 Credentials In Files
cloud_key_management Cloud Key Management protect minimal T1552.004 Private Keys
titan_security_key Titan Security Key protect significant T1566 Phishing
chronicle Chronicle detect minimal T1021.002 SMB/Windows Admin Shares
chronicle Chronicle detect minimal T1037 Boot or Logon Initialization Scripts
chronicle Chronicle detect minimal T1053.005 Scheduled Task
chronicle Chronicle detect minimal T1218.005 Mshta
chronicle Chronicle detect minimal T1543.001 Launch Agent
chronicle Chronicle detect minimal T1543.004 Launch Daemon
chronicle Chronicle detect minimal T1546.001 Change Default File Association
chronicle Chronicle detect minimal T1547.001 Registry Run Keys / Startup Folder
chronicle Chronicle detect minimal T1547 Boot or Logon Autostart Execution
chronicle Chronicle detect minimal T1546 Event Triggered Execution
chronicle Chronicle detect minimal T1543 Create or Modify System Process
chronicle Chronicle detect minimal T1548.002 Bypass User Account Control
chronicle Chronicle detect minimal T1564.001 Hidden Files and Directories
chronicle Chronicle detect minimal T1564 Hide Artifacts
chronicle Chronicle detect minimal T1003.003 NTDS
chronicle Chronicle detect minimal T1078 Valid Accounts
chronicle Chronicle detect minimal T1134.005 SID-History Injection
chronicle Chronicle detect minimal T1003 OS Credential Dumping
chronicle Chronicle detect minimal T1548 Abuse Elevation Control Mechanism
chronicle Chronicle detect minimal T1584.002 DNS Server
chronicle Chronicle detect minimal T1562.004 Disable or Modify System Firewall
chronicle Chronicle detect minimal T1098.001 Additional Cloud Credentials
chronicle Chronicle detect minimal T1530 Data from Cloud Storage Object
chronicle Chronicle detect minimal T1070.002 Clear Linux or Mac System Logs
chronicle Chronicle detect minimal T1136.001 Local Account
chronicle Chronicle detect minimal T1098 Account Manipulation
chronicle Chronicle detect minimal T1106 Native API
chronicle Chronicle detect minimal T1021.004 SSH
chronicle Chronicle detect minimal T1578 Modify Cloud Compute Infrastructure
chronicle Chronicle detect minimal T1052.001 Exfiltration over USB
chronicle Chronicle detect minimal T1112 Modify Registry
chronicle Chronicle detect minimal T1021 Remote Services
chronicle Chronicle detect minimal T1052 Exfiltration Over Physical Medium
chronicle Chronicle detect minimal T1053 Scheduled Task/Job
chronicle Chronicle detect minimal T1070 Indicator Removal on Host
chronicle Chronicle detect minimal T1134 Access Token Manipulation
chronicle Chronicle detect minimal T1218 Signed Binary Proxy Execution
chronicle Chronicle detect minimal T1584 Compromise Infrastructure
chronicle Chronicle detect minimal T1056 Input Capture
chronicle Chronicle detect minimal T1056.003 Web Portal Capture
chronicle Chronicle detect minimal T1056.004 Credential API Hooking
chronicle Chronicle detect minimal T1071.001 Web Protocols
chronicle Chronicle detect minimal T1071 Application Layer Protocol
chronicle Chronicle detect minimal T1059 Command and Scripting Interpreter
chronicle Chronicle detect minimal T1218.010 Regsvr32
chronicle Chronicle detect minimal T1059.003 Windows Command Shell
chronicle Chronicle detect minimal T1082 System Information Discovery
chronicle Chronicle detect minimal T1218.003 CMSTP
chronicle Chronicle detect minimal T1018 Remote System Discovery
chronicle Chronicle detect minimal T1552 Unsecured Credentials
chronicle Chronicle detect minimal T1486 Data Encrypted for Impact
chronicle Chronicle detect minimal T1204 User Execution
chronicle Chronicle detect minimal T1036.005 Match Legitimate Name or Location
chronicle Chronicle detect minimal T1027.004 Compile After Delivery
chronicle Chronicle detect minimal T1127.001 MSBuild
chronicle Chronicle detect minimal T1127 Trusted Developer Utilities Proxy Execution
chronicle Chronicle detect minimal T1190 Exploit Public-Facing Application
chronicle Chronicle detect minimal T1068 Exploitation for Privilege Escalation
chronicle Chronicle detect minimal T1036 Masquerading
chronicle Chronicle detect minimal T1055 Process Injection
chronicle Chronicle detect minimal T1210 Exploitation of Remote Services
chronicle Chronicle detect minimal T1037.003 Network Logon Script
chronicle Chronicle detect minimal T1212 Exploitation for Credential Access
chronicle Chronicle detect minimal T1505.003 Web Shell
chronicle Chronicle detect minimal T1059.007 JavaScript
chronicle Chronicle detect minimal T1560 Archive Collected Data
chronicle Chronicle detect minimal T1203 Exploitation for Client Execution
chronicle Chronicle detect minimal T1132 Data Encoding
chronicle Chronicle detect minimal T1132.001 Standard Encoding
chronicle Chronicle detect minimal T1195.002 Compromise Software Supply Chain
chronicle Chronicle detect minimal T1195 Supply Chain Compromise
chronicle Chronicle detect minimal T1072 Software Deployment Tools
chronicle Chronicle detect minimal T1546.007 Netsh Helper DLL
chronicle Chronicle detect minimal T1505 Server Software Component
chronicle Chronicle detect minimal T1574.007 Path Interception by PATH Environment Variable
chronicle Chronicle detect minimal T1574 Hijack Execution Flow
chronicle Chronicle detect minimal T1087.004 Cloud Account
chronicle Chronicle detect minimal T1087 Account Discovery
chronicle Chronicle detect minimal T1070.004 File Deletion
chronicle Chronicle detect minimal T1020 Automated Exfiltration
chronicle Chronicle detect minimal T1041 Exfiltration Over C2 Channel
chronicle Chronicle detect minimal T1011 Exfiltration Over Other Network Medium
chronicle Chronicle detect minimal T1027 Obfuscated Files or Information
chronicle Chronicle detect minimal T1484 Domain Policy Modification
chronicle Chronicle detect minimal T1136 Create Account
chronicle Chronicle detect minimal T1543.003 Windows Service
chronicle Chronicle detect minimal T1070.006 Timestomp
chronicle Chronicle detect minimal T1003.001 LSASS Memory
chronicle Chronicle detect minimal T1137.001 Office Template Macros
chronicle Chronicle detect minimal T1137 Office Application Startup
chronicle Chronicle detect minimal T1057 Process Discovery
chronicle Chronicle detect minimal T1016 System Network Configuration Discovery
chronicle Chronicle detect minimal T1049 System Network Connections Discovery
chronicle Chronicle detect minimal T1033 System Owner/User Discovery
chronicle Chronicle detect minimal T1588.002 Tool
chronicle Chronicle detect minimal T1588 Obtain Capabilities
chronicle Chronicle detect minimal T1070.001 Clear Windows Event Logs
chronicle Chronicle detect minimal T1569.002 Service Execution
chronicle Chronicle detect minimal T1569 System Services
chronicle Chronicle detect minimal T1546.008 Accessibility Features
chronicle Chronicle detect minimal T1048 Exfiltration Over Alternative Protocol
chronicle Chronicle detect minimal T1105 Ingress Tool Transfer
chronicle Chronicle detect minimal T1495 Firmware Corruption
chronicle Chronicle detect minimal T1497 Virtualization/Sandbox Evasion
chronicle Chronicle detect minimal T1202 Indirect Command Execution
chronicle Chronicle detect minimal T1546.003 Windows Management Instrumentation Event Subscription
access_transparency Access Transparency detect minimal T1199 Trusted Relationship
access_transparency Access Transparency detect minimal T1530 Data from Cloud Storage Object
shielded_vm Shielded VM protect significant T1542 Pre-OS Boot
shielded_vm Shielded VM protect partial T1014 Rootkit
firewalls Firewalls protect partial T1008 Fallback Channels
firewalls Firewalls protect partial T1018 Remote System Discovery
firewalls Firewalls protect partial T1021 Remote Services
firewalls Firewalls protect partial T1041 Exfiltration Over C2 Channel
firewalls Firewalls protect partial T1046 Network Service Scanning
firewalls Firewalls protect partial T1048 Exfiltration Over Alternative Protocol
firewalls Firewalls protect significant T1071 Application Layer Protocol
firewalls Firewalls protect partial T1090 Proxy
firewalls Firewalls protect significant T1095 Non-Application Layer Protocol
firewalls Firewalls protect partial T1104 Multi-Stage Channels
firewalls Firewalls protect partial T1133 External Remote Services
firewalls Firewalls protect significant T1187 Forced Authentication
firewalls Firewalls protect partial T1205 Traffic Signaling
firewalls Firewalls protect partial T1219 Remote Access Software
firewalls Firewalls protect minimal T1498 Network Denial of Service
firewalls Firewalls protect partial T1499 Endpoint Denial of Service
firewalls Firewalls protect partial T1530 Data from Cloud Storage Object
firewalls Firewalls protect minimal T1542 Pre-OS Boot
firewalls Firewalls protect significant T1571 Non-Standard Port
firewalls Firewalls protect partial T1572 Protocol Tunneling
firewalls Firewalls protect partial T1590 Gather Victim Network Information
firewalls Firewalls protect partial T1595 Active Scanning
security_command_center Security Command Center detect significant T1204.003 Malicious Image
security_command_center Security Command Center detect significant T1525 Implant Internal Image
security_command_center Security Command Center detect significant T1133 External Remote Services
security_command_center Security Command Center detect significant T1505.003 Web Shell
security_command_center Security Command Center detect significant T1105 Ingress Tool Transfer
security_command_center Security Command Center detect significant T1059.004 Unix Shell
security_command_center Security Command Center detect significant T1071.004 DNS
security_command_center Security Command Center detect significant T1110 Brute Force
security_command_center Security Command Center detect significant T1078.004 Cloud Accounts
security_command_center Security Command Center detect significant T1562 Impair Defenses
security_command_center Security Command Center detect significant T1567 Exfiltration Over Web Service
security_command_center Security Command Center detect significant T1567.002 Exfiltration to Cloud Storage
security_command_center Security Command Center detect significant T1505.001 SQL Stored Procedures
security_command_center Security Command Center detect significant T1098.001 Additional Cloud Credentials
security_command_center Security Command Center detect significant T1562.007 Disable or Modify Cloud Firewall
security_command_center Security Command Center protect significant T1589.001 Credentials
security_command_center Security Command Center detect significant T1496 Resource Hijacking
security_command_center Security Command Center protect significant T1213.003 Code Repositories
security_command_center Security Command Center protect minimal T1040 Network Sniffing
security_command_center Security Command Center detect significant T1190 Exploit Public-Facing Application
security_command_center Security Command Center detect significant T1078.001 Default Accounts
security_command_center Security Command Center detect significant T1542 Pre-OS Boot
security_command_center Security Command Center detect significant T1542.003 Bootkit
security_command_center Security Command Center detect significant T1014 Rootkit
security_command_center Security Command Center detect significant T1070 Indicator Removal on Host
security_command_center Security Command Center detect significant T1484 Domain Policy Modification
security_command_center Security Command Center detect significant T1136.003 Cloud Account
security_command_center Security Command Center detect significant T1562.008 Disable Cloud Logs
security_command_center Security Command Center detect significant T1578 Modify Cloud Compute Infrastructure
security_command_center Security Command Center detect partial T1530 Data from Cloud Storage Object
cloud_storage Cloud Storage protect significant T1530 Data from Cloud Storage Object
cloud_storage Cloud Storage protect significant T1565.001 Stored Data Manipulation
cloud_storage Cloud Storage protect partial T1588.004 Digital Certificates
cloud_storage Cloud Storage protect partial T1588.003 Code Signing Certificates
cloud_data_loss_prevention Cloud Data Loss Prevention protect partial T1530 Data from Cloud Storage Object
binary_authorization Binary Authorization protect significant T1610 Deploy Container
binary_authorization Binary Authorization protect significant T1053.007 Container Orchestration Job
binary_authorization Binary Authorization protect significant T1612 Build Image on Host
binary_authorization Binary Authorization protect significant T1554 Compromise Client Software Binary
binary_authorization Binary Authorization protect significant T1525 Implant Internal Image
binary_authorization Binary Authorization protect significant T1036.001 Invalid Code Signature
binary_authorization Binary Authorization protect significant T1601 Modify System Image
binary_authorization Binary Authorization protect significant T1204.003 Malicious Image
advancedprotectionprogram AdvancedProtectionProgram protect significant T1098 Account Manipulation
advancedprotectionprogram AdvancedProtectionProgram protect significant T1110 Brute Force
advancedprotectionprogram AdvancedProtectionProgram protect significant T1136 Create Account
advancedprotectionprogram AdvancedProtectionProgram protect significant T1530 Data from Cloud Storage Object
advancedprotectionprogram AdvancedProtectionProgram protect significant T1114 Email Collection
advancedprotectionprogram AdvancedProtectionProgram protect significant T1133 External Remote Services
advancedprotectionprogram AdvancedProtectionProgram protect significant T1556 Modify Authentication Process
advancedprotectionprogram AdvancedProtectionProgram protect significant T1021 Remote Services
advancedprotectionprogram AdvancedProtectionProgram protect significant T1078.002 Domain Accounts
advancedprotectionprogram AdvancedProtectionProgram protect significant T1078.004 Cloud Accounts
advancedprotectionprogram AdvancedProtectionProgram protect significant T1110.001 Password Guessing
advancedprotectionprogram AdvancedProtectionProgram protect significant T1110.002 Password Cracking
advancedprotectionprogram AdvancedProtectionProgram protect significant T1110.003 Password Spraying
advancedprotectionprogram AdvancedProtectionProgram protect significant T1110.004 Credential Stuffing
secret_manager Secret Manager protect partial T1528 Steal Application Access Token
secret_manager Secret Manager protect partial T1555 Credentials from Password Stores
secret_manager Secret Manager protect partial T1552 Unsecured Credentials
secret_manager Secret Manager protect minimal T1040 Network Sniffing
virtual_private_cloud Virtual Private Cloud protect significant T1590 Gather Victim Network Information
virtual_private_cloud Virtual Private Cloud protect significant T1590.004 Network Topology
virtual_private_cloud Virtual Private Cloud protect significant T1590.005 IP Addresses
virtual_private_cloud Virtual Private Cloud protect significant T1046 Network Service Scanning
virtual_private_cloud Virtual Private Cloud protect significant T1135 Network Share Discovery
virtual_private_cloud Virtual Private Cloud protect significant T1595 Active Scanning
virtual_private_cloud Virtual Private Cloud protect significant T1595.001 Scanning IP Blocks
virtual_private_cloud Virtual Private Cloud protect significant T1098 Account Manipulation
virtual_private_cloud Virtual Private Cloud protect partial T1098.001 Additional Cloud Credentials
virtual_private_cloud Virtual Private Cloud protect partial T1557 Adversary-in-the-Middle
virtual_private_cloud Virtual Private Cloud protect significant T1602 Data from Configuration Repository
virtual_private_cloud Virtual Private Cloud protect significant T1190 Exploit Public-Facing Application
virtual_private_cloud Virtual Private Cloud protect significant T1552.007 Container API
virtual_private_cloud Virtual Private Cloud protect significant T1018 Remote System Discovery
virtual_private_cloud Virtual Private Cloud protect minimal T1570 Lateral Tool Transfer
policy_intelligence Policy Intelligence protect partial T1087.004 Cloud Account
policy_intelligence Policy Intelligence protect minimal T1580 Cloud Infrastructure Discovery
policy_intelligence Policy Intelligence protect partial T1530 Data from Cloud Storage Object
policy_intelligence Policy Intelligence detect minimal T1530 Data from Cloud Storage Object
policy_intelligence Policy Intelligence protect partial T1538 Cloud Service Dashboard
policy_intelligence Policy Intelligence protect partial T1578 Modify Cloud Compute Infrastructure
policy_intelligence Policy Intelligence protect partial T1548.002 Bypass User Account Control
policy_intelligence Policy Intelligence protect partial T1068 Exploitation for Privilege Escalation
policy_intelligence Policy Intelligence protect partial T1562 Impair Defenses
policy_intelligence Policy Intelligence protect partial T1078.004 Cloud Accounts
policy_intelligence Policy Intelligence detect minimal T1078.004 Cloud Accounts
policy_intelligence Policy Intelligence detect minimal T1562.008 Disable Cloud Logs
policy_intelligence Policy Intelligence protect partial T1212 Exploitation for Credential Access
policy_intelligence Policy Intelligence protect partial T1078 Valid Accounts
policy_intelligence Policy Intelligence protect partial T1087 Account Discovery
policy_intelligence Policy Intelligence protect partial T1098.001 Additional Cloud Credentials
policy_intelligence Policy Intelligence protect partial T1098 Account Manipulation
policy_intelligence Policy Intelligence protect partial T1222 File and Directory Permissions Modification
recaptcha_enterprise ReCAPTCHA Enterprise protect partial T1078.004 Cloud Accounts
recaptcha_enterprise ReCAPTCHA Enterprise detect significant T1110.004 Credential Stuffing
recaptcha_enterprise ReCAPTCHA Enterprise protect partial T1136.003 Cloud Account
vpc_service_controls VPC Service Controls protect significant T1078 Valid Accounts
vpc_service_controls VPC Service Controls protect significant T1537 Transfer Data to Cloud Account
vpc_service_controls VPC Service Controls protect significant T1530 Data from Cloud Storage Object
vpc_service_controls VPC Service Controls protect partial T1567 Exfiltration Over Web Service
vpc_service_controls VPC Service Controls protect partial T1619 Cloud Storage Object Discovery
identity_and_access_management Identity and Access Management protect partial T1098 Account Manipulation
identity_and_access_management Identity and Access Management protect partial T1098.001 Additional Cloud Credentials
identity_and_access_management Identity and Access Management protect minimal T1069 Permission Groups Discovery
identity_and_access_management Identity and Access Management protect minimal T1069.003 Cloud Groups
identity_and_access_management Identity and Access Management protect partial T1078 Valid Accounts
identity_and_access_management Identity and Access Management detect partial T1078 Valid Accounts
identity_and_access_management Identity and Access Management protect partial T1078.004 Cloud Accounts
identity_and_access_management Identity and Access Management protect partial T1087.004 Cloud Account
identity_and_access_management Identity and Access Management protect minimal T1087 Account Discovery
identity_and_access_management Identity and Access Management protect minimal T1613 Container and Resource Discovery
vmmanager VMManager protect partial T1068 Exploitation for Privilege Escalation
vmmanager VMManager protect partial T1190 Exploit Public-Facing Application
vmmanager VMManager protect partial T1203 Exploitation for Client Execution
vmmanager VMManager protect partial T1210 Exploitation of Remote Services
vmmanager VMManager protect partial T1211 Exploitation for Defense Evasion
vmmanager VMManager protect partial T1212 Exploitation for Credential Access
vmmanager VMManager protect partial T1072 Software Deployment Tools
container_registry Container Registry protect partial T1078 Valid Accounts
container_registry Container Registry protect partial T1068 Exploitation for Privilege Escalation
container_registry Container Registry protect partial T1525 Implant Internal Image
container_registry Container Registry protect partial T1610 Deploy Container
container_registry Container Registry detect partial T1212 Exploitation for Credential Access

Non-Mappable Capabilities

Non-mappable capabilities are either out of scope or unable to be mapped to any ATT&CK objects
Capability ID Capability Description
cloud_nat Cloud NAT
data_catalog Data Catalog
assured_workloads Assured Workloads
packet_mirroring Packet Mirroring
siemplify Siemplify
terraform_on_google_cloud Terraform on Google Cloud
config_connector Config Connector
deployment_manager Deployment Manager
hybrid_connectivity Hybrid Connectivity
cloud_logging Cloud Logging