Skip to content

M1036 Account Use Policies

Configure features related to account use like login attempt lockouts, specific login times, etc.

Item Value
ID M1036
Version 1.0
Created 11 June 2019
Last Modified 21 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1110 Brute Force Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.1
enterprise T1110.001 Password Guessing Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.1
enterprise T1110.003 Password Spraying Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.1
enterprise T1110.004 Credential Stuffing Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.1
enterprise T1621 Multi-Factor Authentication Request Generation Enable account restrictions to prevent login attempts, and the subsequent 2FA/MFA service requests, from being initiated from suspicious locations or when the source of the login attempts do not match the location of the 2FA/MFA smart device. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.1
enterprise T1078 Valid Accounts Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.1
enterprise T1078.004 Cloud Accounts Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.1

References

  1. Microsoft. (2022, December 14). Conditional Access templates. Retrieved February 21, 2023.