{"description": "Enterprise techniques mitigated by Account Use Policies, ATT&CK mitigation M1036 (v1.1)", "name": "Account Use Policies (M1036)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1110", "comment": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.(Citation: Microsoft Common Conditional Access Policies) Consider blocking risky authentication requests, such as those originating from anonymizing services/proxies.(Citation: Okta Block Anonymizing Services)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1110.001", "comment": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.(Citation: Microsoft Common Conditional Access Policies) Consider blocking risky authentication requests, such as those originating from anonymizing services/proxies.(Citation: Okta Block Anonymizing Services)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110.003", "comment": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.(Citation: Microsoft Common Conditional Access Policies) Consider blocking risky authentication requests, such as those originating from anonymizing services/proxies.(Citation: Okta Block Anonymizing Services)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110.004", "comment": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.(Citation: Microsoft Common Conditional Access Policies) Consider blocking risky authentication requests, such as those originating from anonymizing services/proxies.(Citation: Okta Block Anonymizing Services)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1621", "comment": "Enable account restrictions to prevent login attempts, and the subsequent 2FA/MFA service requests, from being initiated from suspicious locations or when the source of the login attempts do not match the location of the 2FA/MFA smart device. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.(Citation: Microsoft Common Conditional Access Policies)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1648", "comment": "Where possible, consider restricting access to and use of serverless functions. For examples, conditional access policies can be applied to users attempting to create workflows in Microsoft Power Automate. Google Apps Scripts that use OAuth can be limited by restricting access to high-risk OAuth scopes.(Citation: Microsoft Developer Support Power Apps Conditional Access)(Citation: Google Workspace Apps Script Restrict OAuth Scopes)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1684", "comment": "Adds verification for helpdesk resets, approvals, and app consents commonly targeted by impersonation.(Citation: SE SentinelOne 2)(Citation: SE - Hackers Target Workday)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1550", "comment": "Where possible, consider restricting the use of authentication material outside of expected contexts.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1550.001", "comment": "Where possible, consider restricting the use of access tokens outside of expected contexts. For example, in AWS environments, consider using data perimeters to prevent credential use outside of an expected network.(Citation: AWS Data Perimeters)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "comment": "Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.(Citation: Microsoft Common Conditional Access Policies)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.(Citation: Microsoft Common Conditional Access Policies)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Account Use Policies", "color": "#66b1ff"}]}