ATT&CK v15 has been released! Check out the blog post or release notes for more information.

Account Use Policies

Configure features related to account use like login attempt lockouts, specific login times, etc.

ID: M1036

Version: 1.0

Created: 11 June 2019

Last Modified: 21 October 2022

Version Permalink

Live Version

Techniques Addressed by Mitigation

Domain	ID		Name	Use
Enterprise	T1110		Brute Force	Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.^[1]
		.001	Password Guessing	Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.^[1]
		.003	Password Spraying	Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.^[1]
		.004	Credential Stuffing	Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.^[1]
Enterprise	T1621		Multi-Factor Authentication Request Generation	Enable account restrictions to prevent login attempts, and the subsequent 2FA/MFA service requests, from being initiated from suspicious locations or when the source of the login attempts do not match the location of the 2FA/MFA smart device. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.^[1]
Enterprise	T1078		Valid Accounts	Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.^[1]
		.004	Cloud Accounts	Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.^[1]

References

Microsoft. (2022, December 14). Conditional Access templates. Retrieved February 21, 2023.