-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathMicrosoftAntimalwareForAzure.yaml
100 lines (100 loc) · 3.99 KB
/
MicrosoftAntimalwareForAzure.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
version: 1
ATT&CK version: 8.2
creation date: 03/19/2021
name: Microsoft Antimalware for Azure
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: Azure
tags:
- Azure Security Center
description: >-
Microsoft Antimalware for Azure is a free real-time protection that helps identify and remove
viruses, spyware, and other malicious software. It generates alerts when known malicious or
unwanted software tries to install itself or run on your Azure systems.
techniques:
- id: T1566
name: Phishing
technique-scores:
- category: Protect
value: Minimal
- category: Detect
value: Minimal
sub-techniques-scores:
- sub-techniques:
- id: T1566.001
name: Spearphishing Attachment
scores:
- category: Protect
value: Minimal
comments: >-
This control may quarantine and/or delete any spearphishing attachment that has been
downloaded and matches a malware signature. Customized malware without a matching
signature may not generate an alert.
- category: Detect
value: Partial
comments: >-
This control may detect any spearphishing attachment that has been downloaded and
matches a malware signature. Customized malware without a matching signature may not
generate an alert.
- id: T1204
name: User Execution
technique-scores:
- category: Protect
value: Minimal
sub-techniques-scores:
- sub-techniques:
- id: T1204.002
name: Malicious File
scores:
- category: Protect
value: Minimal
comments: >-
This control monitors activity in cloud services and on virtual machines to block
malware execution. This is dependent on a signature being available.
- category: Detect
value: Minimal
comments: >-
This control monitors activity in cloud services and on virtual machines to detect
malware execution. This is dependent on a signature being available.
- id: T1105
name: Ingress Tool Transfer
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control may scan created files for malware and proceed to quarantine and/or delete
the file. This control is dependent on a signature being available.
- category: Detect
value: Minimal
comments: >-
This control may scan created files for malware. This control is dependent on a signature being available.
- id: T1027
name: Obfuscated Files or Information
technique-scores:
- category: Protect
value: Minimal
- category: Detect
value: Minimal
sub-techniques-scores:
- sub-techniques:
- id: T1027.002
name: Software Packing
scores:
- category: Protect
value: Minimal
comments: >-
This control may quarantine and/or delete malware that has been packed by well known
software packing utilities. These utilities can provide signatures that apply to a
variety of malware.
- category: Detect
value: Minimal
comments: >-
This control may detect malware that has been packed by well known software packing
utilities. These utilities can provide signatures that apply to a variety of malware.
comments: >-
Signature based antimalware solutions are generally dependent on Indicators of Compromise(IOCs)
such as file hashes and malware signatures. ATT&CK is primarily centered on behaviors and
Tactics, Techniques, and Procedures(TTPs), hence the minimal amount of techinques and scoring.
references:
- 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware'
- 'https://docs.microsoft.com/en-us/azure/security/fundamentals/antimalware-code-samples'