| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1078.001 | Default Accounts |
Comments
The RBAC control can be used to implement the principle of least privilege for account management, reducing the available actions an adversary can perform with a default account. This scores Partial for its ability to minimize the overall accounts with management privileges.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1213.002 | Sharepoint |
Comments
The RBAC control can be used to implement the principle of least privilege for access to SharePoint repositories to only those required for an account. This scores Partial for its ability to minimize the attack surface of accounts with access to potentially valuable information.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1213 | Data from Information Repositories |
Comments
The RBAC control can generally be used to protect against and limit adversary access to valuable information repositories. Although it does not have full coverage of this technique's sub-techniques, it also helps protect against Procedure examples, resulting in an overall score of Partial.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1199 | Trusted Relationship |
Comments
The RBAC control can be used to implement the principle of least privilege to properly manage accounts and permissions of parties in trusted relationships. This scores Partial for its ability to minimize the the potential abuse by the party and if it is comprised by an adversary.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1562.008 | Disable or Modify Cloud Logs |
Comments
The RBAC control can be used to implement the principle of least privilege to limit users with permission to modify logging policies to those required. This scores Partial for its ability to minimize the overall accounts with the ability to modify cloud logging capabilities.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | minimal | T1562 | Impair Defenses |
Comments
The RBAC control can be used to partially protect against the ability to Disable or Modify Cloud Logs, but has minimal coverage against this technique's other sub-techniques and example procedures. Due to its Minimal coverage score, it receives an overall score of minimal.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1530 | Data from Cloud Storage |
Comments
The RBAC control can be used to implement the principle of least privilege for cloud data storage access to only those required. This scores Partial for its ability to minimize the attack surface of accounts with storage solution access.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1484.002 | Domain Trust Modification |
Comments
The RBAC control can be used to implement the principle of least privilege to limit accounts with the access to domain trusts. This scores Partial for its ability to minimize the overall accounts with these privileges.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1484 | Domain Policy Modification |
Comments
The RBAC control can be used to implement the principle of least privilege to limit administrative accounts. This scores Partial for its ability to minimize the overall accounts that can modify domain policies.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1556.007 | Hybrid Identity |
Comments
The RBAC control can be used to implement the principle of least privilege to limit Global Administrator accounts, and ensure these accounts are cloud-only. This scores Partial for its ability to minimize hybrid accounts with administrative privileges.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1556.006 | Multi-Factor Authentication |
Comments
The RBAC control can be used to implement the principle of least privilege to limit account management control of MFA. This scores Partial for its ability to minimize overall accounts with the ability to change or disable MFA.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | minimal | T1556 | Modify Authentication Process |
Comments
The RBAC control can be used to limit cloud accounts with authentication modification relevant privileges, but does not provide protection against this technique's other sub-techniques or example procedures. Due to its Minimal coverage score, it receives a score of minimal.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1648 | Serverless Execution |
Comments
The RBAC control can be used to implement the principle of least privilege to limit accounts with permissions for serverless services to those required. This scores Partial for its ability to minimize the overall accounts with this ability.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1059.009 | Cloud API |
Comments
The RBAC control can be used to implement the principle of least privilege to limit API functionality administrative accounts can take. This scores Partial for its ability to minimize the actions these accounts can perform.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | minimal | T1059 | Command and Scripting Interpreter |
Comments
The RBAC control can be used to partially protect against the abuse of Cloud APIs but does not provide protection against this technique's other sub-techniques or other example procedures. Due to its Minimal coverage score, it receives a score of minimal.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1651 | Cloud Administration Command |
Comments
The RBAC control can be used to implement the principle of least privilege for account management, limiting the number of Global and Intune administrators to those required. This scores Partial for its ability to minimize the overall accounts with associated privileges.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1528 | Steal Application Access Token |
Comments
The RBAC control can be used to implement the principle of least privilege, limiting accounts with access to application tokens. This receives a score of Partial for its ability to minimize the attack surface of accounts this ability.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1538 | Cloud Service Dashboard |
Comments
The RBAC control can be used to implement the principle of least privilege, limiting dashboard visibility to necessary accounts. This receives a score of Partial for its ability to minimize the discovery value a dashboard may have in the event of a compromised account.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1098.003 | Additional Cloud Roles |
Comments
The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts with the ability to add additional cloud roles. This receives a score of Partial for its ability to minimize known accounts with the ability to add roles.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1098.001 | Additional Cloud Credentials |
Comments
The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts with the ability to add additional cloud credentials. This receives a score of Partial for its ability to minimize known accounts with the ability to add credentials.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1098 | Account Manipulation |
Comments
The RBAC control can generally be used to implement the principle of least privilege to protect against the number of accounts with management capabilities. This has Partial coverage of Account Manipulation sub-techniques, resulting in an overall score of Partial.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1136.003 | Cloud Account |
Comments
The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts that can create new accounts. This receives a score of Partial for its ability to minimize known accounts with the ability to create new accounts.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | minimal | T1136 | Create Account |
Comments
The RBAC control can generally be used to implement the principle of least privilege to protect against account creation. For the given product space, this control helps protect against only against Cloud Account creation, and none of this technique’s other sub-techniques or procedures. Due to overall Minimal coverage, it receives an overall score of Minimal.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1078.004 | Cloud Accounts |
Comments
The RBAC control can be used to implement the principle of least privilege for account management, reducing the available actions an adversary can perform with a cloud account. This scores Partial for its ability to minimize the overall accounts with management privileges.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | minimal | T1078 | Valid Accounts |
Comments
The RBAC control can be used to implement the principle of least privilege for account management, reducing the potential actions that can be taken with Valid Default and Cloud Accounts. Although RBAC can limit the actions the adversary can take if a Valid Account has been compromised, it does not protect against different variations of the technique's procedure. Due to overall Minimal coverage, it receives an overall score of Minimal.
License Requirements:
ME-ID Built-in Roles (Free)
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | partial | T1087.004 | Cloud Account |
Comments
The RBAC control can be used to implement the principle of least privilege for account management, limiting the accounts that can be used to perform account discovery. This scores Partial for its ability to minimize the overall accounts with these role privileges.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | minimal | T1087 | Account Discovery |
Comments
The RBAC control can be used to partially protect against Cloud Account Discovery, but does not provide protection against this technique's other sub-techniques or example procedures. Due to its Minimal coverage score, it receives an overall score of minimal.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-RBAC-E3 | Role Based Access Control | protect | minimal | T1548.005 | Temporary Elevated Cloud Access |
Comments
The RBAC control can be used to implement the principle of least privilege to limit the ability of cloud accounts to assume, create, or impersonate only required privileges. This scores Minimal for its ability to protect against the actions temporary elevated accounts can take.
License Requirements:
ME-ID Built-in Roles (Free)
References
|