Course of Action
ATT&CK Mitigation
Authors
Authors and/or Contributors |
---|
MITRE |
Registry Run Keys / Startup Folder Mitigation - T1060
Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 8b36d944-f274-4d46-9acd-dbba6927ce7a
which can be used as unique global reference for Registry Run Keys / Startup Folder Mitigation - T1060
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1060 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1060 |
Exfiltration Over Command and Control Channel Mitigation - T1041
Mitigations for command and control apply. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID 92c28497-2820-445e-9f3e-a03dd77dc0c8
which can be used as unique global reference for Exfiltration Over Command and Control Channel Mitigation - T1041
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1041 |
Exfiltration Over Other Network Medium Mitigation - T1011
Ensure host-based sensors maintain visibility into usage of all network adapters and prevent the creation of new ones where possible. (Citation: Microsoft GPO Bluetooth FEB 2009) (Citation: TechRepublic Wireless GPO FEB 2009)
Internal MISP references
UUID a98be93b-a75b-4dd4-8a72-4dfd0b5e25bb
which can be used as unique global reference for Exfiltration Over Other Network Medium Mitigation - T1011
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1011 |
Disable or Remove Feature or Program - M1042
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Internal MISP references
UUID eb88d97c-32f1-40be-80f0-d61a4b0b4b31
which can be used as unique global reference for Disable or Remove Feature or Program - M1042
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1042 |
Related clusters
To see the related clusters, click here.
Limit Access to Resource Over Network - M1035
Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.
Internal MISP references
UUID 1dcaeb21-9348-42ea-950a-f842aaf1ae1f
which can be used as unique global reference for Limit Access to Resource Over Network - M1035
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1035 |
Related clusters
To see the related clusters, click here.
Data from Network Shared Drive Mitigation - T1039
Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID d9727aee-48b8-4fdb-89e2-4c49746ba4dd
which can be used as unique global reference for Data from Network Shared Drive Mitigation - T1039
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1039 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1039 |
Windows Management Instrumentation Event Subscription Mitigation - T1084
Disabling WMI services may cause system instability and should be evaluated to assess the impact to a network. By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI. Prevent credential overlap across systems of administrator and privileged accounts. (Citation: FireEye WMI 2015)
Internal MISP references
UUID 0bc3ce00-83bc-4a92-a042-79ffbc6af259
which can be used as unique global reference for Windows Management Instrumentation Event Subscription Mitigation - T1084
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1084 |
Custom Command and Control Protocol Mitigation - T1094
Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID f3d0c735-330f-43c2-8e8e-51bcfa51e8c3
which can be used as unique global reference for Custom Command and Control Protocol Mitigation - T1094
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1094 |
Image File Execution Options Injection Mitigation - T1183
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all IFEO will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. (Citation: Microsoft IFEOorMalware July 2015) Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.
Identify and block potentially malicious software that may be executed through IFEO by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown executables.
Internal MISP references
UUID 33f76731-b840-446f-bee0-53687dad24d9
which can be used as unique global reference for Image File Execution Options Injection Mitigation - T1183
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://answers.microsoft.com/windows/forum/windows_10-security/part-of-windows-10-or-really-malware/af715663-a34a-423c-850d-2a46f369a54c - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1183 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1183 |
SIP and Trust Provider Hijacking Mitigation - T1198
Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Also ensure that these values contain their full path to prevent DLL Search Order Hijacking. (Citation: SpectorOps Subverting Trust Sept 2017)
Consider removing unnecessary and/or stale SIPs. (Citation: SpectorOps Subverting Trust Sept 2017)
Restrict storage and execution of SIP DLLs to protected directories, such as C:\Windows, rather than user directories.
Enable whitelisting solutions such as AppLocker and/or Device Guard to block the loading of malicious SIP DLLs. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.
Internal MISP references
UUID ef273807-c465-4728-9cee-5823422f42ee
which can be used as unique global reference for SIP and Trust Provider Hijacking Mitigation - T1198
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1198 |
Standard Non-Application Layer Protocol Mitigation - T1095
Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID 399d9038-b100-43ef-b28d-a5065106b935
which can be used as unique global reference for Standard Non-Application Layer Protocol Mitigation - T1095
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1095 |
Deobfuscate/Decode Files or Information Mitigation - T1140
Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID d01f473f-3cdc-4867-9e55-1de9cf1986f0
which can be used as unique global reference for Deobfuscate/Decode Files or Information Mitigation - T1140
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1140 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1140 |
Deploy Compromised Device Detection Method - M1010
A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.
Internal MISP references
UUID cf2cccb1-cab8-431a-8ecf-f7874d05f433
which can be used as unique global reference for Deploy Compromised Device Detection Method - M1010
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1010 |
Related clusters
To see the related clusters, click here.
Data Transfer Size Limits Mitigation - T1030
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID ba06d68a-4891-4eb5-b634-152e05ec60ee
which can be used as unique global reference for Data Transfer Size Limits Mitigation - T1030
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1030 |
Data from Local System Mitigation - T1005
Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 7ee0879d-ce4f-4f54-a96b-c532dfb98ffd
which can be used as unique global reference for Data from Local System Mitigation - T1005
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1005 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1005 |
File System Logical Offsets Mitigation - T1006
Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 902286b2-96cc-4dd7-931f-e7340c9961da
which can be used as unique global reference for File System Logical Offsets Mitigation - T1006
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1006 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1006 |
Caution with Device Administrator Access - M1007
Warn device users not to accept requests to grant Device Administrator access to applications without good reason.
Additionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.
Internal MISP references
UUID e944670c-d03a-4e93-a21c-b3d4c53ec4c9
which can be used as unique global reference for Caution with Device Administrator Access - M1007
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1007 |
Indicator Removal on Host Mitigation - T1070
Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.
Internal MISP references
UUID 6cac62ce-550b-4793-8ee6-6a1b8836edb0
which can be used as unique global reference for Indicator Removal on Host Mitigation - T1070
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1070 |
Exploitation of Remote Services Mitigation - T1210
Segment networks and systems appropriately to reduce access to critical systems and services to controlled methods. Minimize available services to only those that are necessary. Regularly scan the internal network for available services to identify new and potentially vulnerable services. Minimize permissions and access for service accounts to limit impact of exploitation.
Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.
Internal MISP references
UUID 14b63e6b-7531-4476-9e60-02cc5db48b62
which can be used as unique global reference for Exploitation of Remote Services Mitigation - T1210
in MISP communities and other software using the MISP galaxy
External references
- https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/ - webarchive
- https://attack.mitre.org/mitigations/T1210 - webarchive
- https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/ - webarchive
- https://en.wikipedia.org/wiki/Control-flow_integrity - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1210 |
System Network Configuration Discovery Mitigation - T1016
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about a system's network configuration, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 684feec3-f9ba-4049-9d8f-52d52f3e0e40
which can be used as unique global reference for System Network Configuration Discovery Mitigation - T1016
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1016 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1016 |
Replication Through Removable Media Mitigation - T1091
Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if it is not required for business operations. (Citation: TechNet Removable Media Control)
Identify potentially malicious software that may be used to infect removable media or may result from tainted removable media, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID effb83a0-ead1-4b36-b7f6-b7bdf9c4616e
which can be used as unique global reference for Replication Through Removable Media Mitigation - T1091
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1091 - webarchive
- https://support.microsoft.com/en-us/kb/967715 - webarchive
- https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1091 |
Restrict File and Directory Permissions - M1022
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Internal MISP references
UUID 987988f0-cf86-4680-a875-2f6456ab2448
which can be used as unique global reference for Restrict File and Directory Permissions - M1022
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1022 |
Related clusters
To see the related clusters, click here.
Exploitation for Client Execution Mitigation - T1203
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)
Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility.
Internal MISP references
UUID f2dcee22-c275-405e-87fd-48630a19dfba
which can be used as unique global reference for Exploitation for Client Execution Mitigation - T1203
in MISP communities and other software using the MISP galaxy
External references
- https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/ - webarchive
- https://attack.mitre.org/mitigations/T1203 - webarchive
- https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/ - webarchive
- https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/ - webarchive
- https://en.wikipedia.org/wiki/Control-flow_integrity - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1203 |
Change Default File Association Mitigation - T1042
Direct mitigation of this technique is not recommended since it is a legitimate function that can be performed by users for software preferences. Follow Microsoft's best practices for file associations. (Citation: MSDN File Associations)
Identify and block potentially malicious software that may be executed by this technique using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID d7c49196-b40e-42bc-8eed-b803113692ed
which can be used as unique global reference for Change Default File Association Mitigation - T1042
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1042 - webarchive
- https://msdn.microsoft.com/en-us/library/cc144156.aspx - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1042 |
Data from Removable Media Mitigation - T1025
Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 39706d54-0d06-4a25-816a-78cc43455100
which can be used as unique global reference for Data from Removable Media Mitigation - T1025
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1025 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1025 |
Exfiltration Over Physical Medium Mitigation - T1052
Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)
Internal MISP references
UUID e547ed6a-f1ca-40df-8613-2ce27927f145
which can be used as unique global reference for Exfiltration Over Physical Medium Mitigation - T1052
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1052 |
Communication Through Removable Media Mitigation - T1092
Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)
Internal MISP references
UUID b8d57b16-d8e2-428c-a645-1083795b3445
which can be used as unique global reference for Communication Through Removable Media Mitigation - T1092
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1092 |
File and Directory Discovery Mitigation - T1083
File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1
which can be used as unique global reference for File and Directory Discovery Mitigation - T1083
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1083 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1083 |
DLL Search Order Hijacking Mitigation - T1038
Disallow loading of remote DLLs. (Citation: Microsoft DLL Preloading) This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+. (Citation: Microsoft DLL Search) Path Algorithm
Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. %SYSTEMROOT%
)to be used before local directory DLLs (e.g. a user's home directory). The Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode
(Citation: Microsoft DLL Search)
Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses. (Citation: Powersploit)
Identify and block potentially malicious software that may be executed through search order hijacking by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.
Internal MISP references
UUID 96913243-2b5e-4483-a65c-bb152ddd2f04
which can be used as unique global reference for DLL Search Order Hijacking Mitigation - T1038
in MISP communities and other software using the MISP galaxy
External references
- http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx - webarchive
- http://msdn.microsoft.com/en-US/library/ms682586 - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1038 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://github.com/mattifestation/PowerSploit - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1038 |
File System Permissions Weakness Mitigation - T1044
Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses. (Citation: Powersploit)
Identify and block potentially malicious software that may be executed through abuse of file, directory, and service permissions by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs. Deny execution from user directories such as file download directories and temp directories where able. (Citation: Seclists Kanthak 7zip Installer)
Turn off UAC's privilege elevation for standard users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
to automatically deny elevation requests, add: "ConsentPromptBehaviorUser"=dword:00000000
(Citation: Seclists Kanthak 7zip Installer). Consider enabling installer detection for all users by adding: "EnableInstallerDetection"=dword:00000001
. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: "EnableInstallerDetection"=dword:00000000
. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.
Internal MISP references
UUID 1022138b-497c-40e6-b53a-13351cbd4090
which can be used as unique global reference for File System Permissions Weakness Mitigation - T1044
in MISP communities and other software using the MISP galaxy
External references
- http://seclists.org/fulldisclosure/2015/Dec/34 - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1044 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://github.com/mattifestation/PowerSploit - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1044 |
System Network Connections Discovery Mitigation - T1049
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about network connections, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID c1676218-c16a-41c9-8f7a-023779916e39
which can be used as unique global reference for System Network Connections Discovery Mitigation - T1049
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1049 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1049 |
Service Registry Permissions Weakness Mitigation - T1058
Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.
Identify and block potentially malicious software that may be executed through service abuse by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.
Internal MISP references
UUID 9378f139-10ef-4e4b-b679-2255a0818902
which can be used as unique global reference for Service Registry Permissions Weakness Mitigation - T1058
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1058 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1058 |
Indicator Removal from Tools Mitigation - T1066
Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.
Identify and block potentially malicious software that may be used by an adversary by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 4b998a71-7b8f-4dcc-8f3f-277f2e740271
which can be used as unique global reference for Indicator Removal from Tools Mitigation - T1066
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://attack.mitre.org/mitigations/T1066 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
- https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1066 |
Exploitation for Privilege Escalation Mitigation - T1068
Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software components targeted for privilege escalation.
Internal MISP references
UUID 92e6d080-ca3f-4f95-bc45-172a32c4e502
which can be used as unique global reference for Exploitation for Privilege Escalation Mitigation - T1068
in MISP communities and other software using the MISP galaxy
External references
- https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/ - webarchive
- https://attack.mitre.org/mitigations/T1068 - webarchive
- https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/ - webarchive
- https://en.wikipedia.org/wiki/Control-flow_integrity - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1068 |
Bypass User Account Control Mitigation - T1088
Remove users from the local administrator group on systems. Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking.
Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate. (Citation: Github UACMe)
Internal MISP references
UUID beb45abb-11e8-4aef-9778-1f9ac249784f
which can be used as unique global reference for Bypass User Account Control Mitigation - T1088
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1088 |
Exploitation for Defense Evasion Mitigation - T1211
Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.
Internal MISP references
UUID 37a3f3f5-76e6-43fe-b935-f1f494c95725
which can be used as unique global reference for Exploitation for Defense Evasion Mitigation - T1211
in MISP communities and other software using the MISP galaxy
External references
- https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/ - webarchive
- https://attack.mitre.org/mitigations/T1211 - webarchive
- https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/ - webarchive
- https://en.wikipedia.org/wiki/Control-flow_integrity - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1211 |
Extra Window Memory Injection Mitigation - T1181
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.
Although EWM injection may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID cba5667e-e3c6-44a4-811c-266dbc00e440
which can be used as unique global reference for Extra Window Memory Injection Mitigation - T1181
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1181 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1181 |
Exploitation for Credential Access Mitigation - T1212
Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.
Internal MISP references
UUID 06160d81-62be-46e5-aa37-4b9c645ffa31
which can be used as unique global reference for Exploitation for Credential Access Mitigation - T1212
in MISP communities and other software using the MISP galaxy
External references
- https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/ - webarchive
- https://attack.mitre.org/mitigations/T1212 - webarchive
- https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/ - webarchive
- https://en.wikipedia.org/wiki/Control-flow_integrity - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1212 |
Component Object Model Hijacking Mitigation - T1122
Direct mitigation of this technique may not be recommended for a particular environment since COM objects are a legitimate part of the operating system and installed software. Blocking COM object changes may have unforeseen side effects to legitimate functionality.
Instead, identify and block potentially malicious software that may execute, or be executed by, this technique using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID ff5d862a-ae6b-4833-8c15-e235d654d28e
which can be used as unique global reference for Component Object Model Hijacking Mitigation - T1122
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1122 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1122 |
Data from Information Repositories Mitigation - T1213
To mitigate adversary access to information repositories for collection:
- Develop and publish policies that define acceptable information to be stored
- Appropriate implementation of access control mechanisms that include both authentication and appropriate authorization
- Enforce the principle of least-privilege
- Periodic privilege review of accounts
- Mitigate access to Valid Accounts that may be used to access repositories
Internal MISP references
UUID 13cad982-35e3-4340-9095-7124b653df4b
which can be used as unique global reference for Data from Information Repositories Mitigation - T1213
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1213 |
Kernel Modules and Extensions Mitigation - T1215
Common tools for detecting Linux rootkits include: rkhunter (Citation: SourceForge rkhunter), chrootkit (Citation: Chkrootkit Main), although rootkits may be designed to evade certain detection tools.
LKMs and Kernel extensions require root level permissions to be installed. Limit access to the root account and prevent users from loading kernel modules and extensions through proper privilege separation and limiting Privilege Escalation opportunities.
Application whitelisting and software restriction tools, such as SELinux, can also aide in restricting kernel module loading. (Citation: Kernel.org Restrict Kernel Module)
Internal MISP references
UUID 44155d14-ca75-4fdf-b033-ab3d732e2884
which can be used as unique global reference for Kernel Modules and Extensions Mitigation - T1215
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1215 |
Network Share Connection Removal Mitigation - T1126
Follow best practices for mitigation of activity related to establishing Windows Admin Shares.
Identify unnecessary system utilities or potentially malicious software that may be used to leverage network shares, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 94e95eeb-7cdb-4bd7-afba-f32fda303dbb
which can be used as unique global reference for Network Share Connection Removal Mitigation - T1126
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1126 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1126 |
Signed Script Proxy Execution Mitigation - T1216
Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.
Internal MISP references
UUID 51048ba0-a5aa-41e7-bf5d-993cd217dfb2
which can be used as unique global reference for Signed Script Proxy Execution Mitigation - T1216
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1216 |
Execution through Module Load Mitigation - T1129
Directly mitigating module loads and API calls related to module loads will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying and correlated subsequent behavior to determine if it is the result of malicious activity.
Internal MISP references
UUID cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf
which can be used as unique global reference for Execution through Module Load Mitigation - T1129
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1129 |
Distributed Component Object Model Mitigation - T1175
Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID{AppID_GUID}
associated with the process-wide security of individual COM applications. (Citation: Microsoft Process Wide Com Keys)
Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
associated with system-wide security defaults for all COM applications that do no set their own process-wide security. (Citation: Microsoft System Wide Com Keys) (Citation: Microsoft COM ACL)
Consider disabling DCOM through Dcomcnfg.exe. (Citation: Microsoft Disable DCOM)
Enable Windows firewall, which prevents DCOM instantiation by default.
Ensure all COM alerts and Protected View are enabled. (Citation: Microsoft Protected View)
Internal MISP references
UUID 910482b1-6749-4934-abcb-3e34d58294fc
which can be used as unique global reference for Distributed Component Object Model Mitigation - T1175
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/mitigations/T1175 - webarchive
- https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1 - webarchive
- https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx - webarchive
- https://msdn.microsoft.com/en-us/library/windows/desktop/ms694331(v=vs.85).aspx - webarchive
- https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653 - webarchive
- https://technet.microsoft.com/library/cc771387.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1175 |
Man in the Browser Mitigation - T1185
Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique.
Close all browser sessions regularly and when they are no longer needed.
Internal MISP references
UUID 94f6b4f5-b528-4f50-91d5-f66457c2f8f7
which can be used as unique global reference for Man in the Browser Mitigation - T1185
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1185 |
Hidden Files and Directories Mitigation - T1158
Mitigation of this technique may be difficult and unadvised due to the the legitimate use of hidden files and directories.
Internal MISP references
UUID 84d633a4-dd93-40ca-8510-40238c021931
which can be used as unique global reference for Hidden Files and Directories Mitigation - T1158
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1158 |
Data Encrypted for Impact Mitigation - T1486
Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP)
In some cases, the means to decrypt files affected by a ransomware campaign is released to the public. Research trusted sources for public releases of decryptor tools/keys to reverse the effects of ransomware.
Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 429a5c0c-e132-45c0-a4aa-c1f736c92a1c
which can be used as unique global reference for Data Encrypted for Impact Mitigation - T1486
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1486 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
- https://www.ready.gov/business/implementation/IT - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1486 |
Network Denial of Service Mitigation - T1498
When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.(Citation: CERT-EU DDoS March 2017)
Depending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.(Citation: CERT-EU DDoS March 2017)
As immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents.(Citation: CERT-EU DDoS March 2017)
Internal MISP references
UUID 654addf1-47ab-410a-8578-e1a0dc2a49b8
which can be used as unique global reference for Network Denial of Service Mitigation - T1498
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1498 |
Endpoint Denial of Service Mitigation - T1499
Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services.(Citation: CERT-EU DDoS March 2017) Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. To defend against SYN floods, enable SYN Cookies.
Internal MISP references
UUID 82c21600-ccb6-4232-8c04-ef3792b56628
which can be used as unique global reference for Endpoint Denial of Service Mitigation - T1499
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1499 |
Exploit Public-Facing Application Mitigation - T1190
Application isolation and least privilege help lesson the impact of an exploit. Application isolation will limit what other processes and system features the exploited target can access, and least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system. Web Application Firewalls may be used to limit exposure of applications.
Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.
Use secure coding best practices when designing custom software that is meant for deployment to externally facing systems. Avoid issues documented by OWASP, CWE, and other software weakness identification efforts.
Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.
Internal MISP references
UUID 65da1eb6-d35d-4853-b280-98a76c0aef53
which can be used as unique global reference for Exploit Public-Facing Application Mitigation - T1190
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1190 |
Two-Factor Authentication Interception Mitigation - T1111
Remove smart cards when not in use. Protect devices and services used to transmit and receive out-of-band codes.
Identify and block potentially malicious software that may be used to intercept 2FA credentials on a system by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID e8d22ec6-2236-48de-954b-974d17492782
which can be used as unique global reference for Two-Factor Authentication Interception Mitigation - T1111
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1111 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1111 |
.bash_profile and .bashrc Mitigation - T1156
Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.
Internal MISP references
UUID 4f170666-7edb-4489-85c2-9affa28a72e0
which can be used as unique global reference for .bash_profile and .bashrc Mitigation - T1156
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1156 |
System Owner/User Discovery Mitigation - T1033
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 16f144e4-c780-4ed2-98b4-55d14e2dfa44
which can be used as unique global reference for System Owner/User Discovery Mitigation - T1033
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1033 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1033 |
Application Window Discovery Mitigation - T1010
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 25d5e1d8-c6fb-4735-bc57-115a21222f4b
which can be used as unique global reference for Application Window Discovery Mitigation - T1010
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1010 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1010 |
Behavior Prevention on Endpoint - M1040
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.
Internal MISP references
UUID 90f39ee1-d5a3-4aaa-9f28-3b42815b0d46
which can be used as unique global reference for Behavior Prevention on Endpoint - M1040
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1040 |
Related clusters
To see the related clusters, click here.
Winlogon Helper DLL Mitigation - T1004
Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.
Identify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.
Internal MISP references
UUID 313c8b20-4d49-40c1-9ac0-4c573aca28f3
which can be used as unique global reference for Winlogon Helper DLL Mitigation - T1004
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1004 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1004 |
Compile After Delivery Mitigation - T1500
This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.
Identify unnecessary system utilities or potentially malicious software that may be used to decrypt, deobfuscate, decode, and compile files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID ae56a49d-5281-45c5-ab95-70a1439c338e
which can be used as unique global reference for Compile After Delivery Mitigation - T1500
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1500 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1500 |
Use Recent OS Version - M1006
New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.
Internal MISP references
UUID 0beabf44-e8d8-4ae4-9122-ef56369a2564
which can be used as unique global reference for Use Recent OS Version - M1006
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1006 |
Related clusters
To see the related clusters, click here.
System Service Discovery Mitigation - T1007
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID d8787791-d22e-45bb-a9a8-251d8d0a1ff2
which can be used as unique global reference for System Service Discovery Mitigation - T1007
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1007 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1007 |
Taint Shared Content Mitigation - T1080
Protect shared folders by minimizing users who have write access. Use utilities that detect or mitigate common features used in exploitation, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET).
Reduce potential lateral movement risk by using web-based document management and collaboration services that do not use network file and directory sharing.
Identify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID f0a42cad-9b1f-44da-a672-718f18381018
which can be used as unique global reference for Taint Shared Content Mitigation - T1080
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://attack.mitre.org/mitigations/T1080 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
- https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1080 |
Security Support Provider Mitigation - T1101
Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL
, which requires all SSP DLLs to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)
Internal MISP references
UUID 9e57c770-5a39-49a2-bb91-253ba629e3ac
which can be used as unique global reference for Security Support Provider Mitigation - T1101
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1101 |
Peripheral Device Discovery Mitigation - T1120
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 1881da33-fdf2-4eea-afd0-e04caf9c000f
which can be used as unique global reference for Peripheral Device Discovery Mitigation - T1120
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1120 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1120 |
Password Policy Discovery Mitigation - T1201
Mitigating discovery of password policies is not advised since the information is required to be known by systems and users of a network. Ensure password policies are such that they mitigate brute force attacks yet will not give an adversary an information advantage because the policies are too light. Active Directory is a common way to set and enforce password policies throughout an enterprise network. (Citation: Microsoft Password Complexity)
Internal MISP references
UUID 49961e75-b493-423a-9ec7-ac2d6f55384a
which can be used as unique global reference for Password Policy Discovery Mitigation - T1201
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1201 |
Install Root Certificate Mitigation - T1130
HTTP Public Key Pinning (HPKP) is one method to mitigate potential man-in-the-middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)
Windows Group Policy can be used to manage root certificates and the Flags
value of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. (Citation: SpectorOps Code Signing Dec 2017)
Internal MISP references
UUID 23061b40-a7b6-454f-8950-95d5ff80331c
which can be used as unique global reference for Install Root Certificate Mitigation - T1130
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1130 |
Modify Existing Service Mitigation - T1031
Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Toolkits like the PowerSploit framework contain the PowerUp modules that can be used to explore systems for Privilege Escalation weaknesses. (Citation: Powersploit)
Identify and block potentially malicious software that may be executed through service abuse by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.
Internal MISP references
UUID fe0aeb41-1a51-4152-8467-628256ea6adf
which can be used as unique global reference for Modify Existing Service Mitigation - T1031
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1031 - webarchive
- https://github.com/mattifestation/PowerSploit - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1031 |
Remote File Copy Mitigation - T1105
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID cdecc44a-1dbf-4c1f-881c-f21e3f47272a
which can be used as unique global reference for Remote File Copy Mitigation - T1105
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1105 |
Graphical User Interface Mitigation - T1061
Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.
Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to log into remote interactive sessions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) and Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID aaa92b37-f96c-4a0a-859c-b1cb6faeb13d
which can be used as unique global reference for Graphical User Interface Mitigation - T1061
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1061 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1061 |
Application Deployment Software Mitigation - T1017
Grant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation.
If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.
Internal MISP references
UUID c88151a5-fe3f-4773-8147-d801587065a4
which can be used as unique global reference for Application Deployment Software Mitigation - T1017
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1017 |
Credentials in Files Mitigation - T1081
Establish an organizational policy that prohibits password storage in files. Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. Preemptively search for files containing passwords and remove when found. Restrict file shares to specific directories with access only to necessary users. Remove vulnerable Group Policy Preferences. (Citation: Microsoft MS14-025)
Internal MISP references
UUID 0472af99-f25c-4abe-9fce-010fa3450e72
which can be used as unique global reference for Credentials in Files Mitigation - T1081
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1081 |
Remote System Discovery Mitigation - T1018
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 9a902722-cecd-4fbe-a6c9-49333aa0f8c2
which can be used as unique global reference for Remote System Discovery Mitigation - T1018
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1018 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1018 |
Indirect Command Execution Mitigation - T1202
Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities and file types/locations used to invoke malicious execution.(Citation: SpectorOPs SettingContent-ms Jun 2018)
Internal MISP references
UUID 1e614ba5-2fc5-4464-b512-2ceafb14d76d
which can be used as unique global reference for Indirect Command Execution Mitigation - T1202
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1202 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1202 |
XSL Script Processing Mitigation - T1220
Windows Management Instrumentation and/or msxsl.exe may or may not be used within a given environment. Disabling WMI may cause system instability and should be evaluated to assess the impact to a network. If msxsl.exe is unnecessary, then block its execution to prevent abuse by adversaries.
Internal MISP references
UUID 7708ac15-4beb-4863-a1a5-da2d63fb8a3c
which can be used as unique global reference for XSL Script Processing Mitigation - T1220
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1220 |
Standard Cryptographic Protocol Mitigation - T1032
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often. (Citation: University of Birmingham C2)
Internal MISP references
UUID a766ce73-5583-48f3-b7c0-0bb43c6ef8c7
which can be used as unique global reference for Standard Cryptographic Protocol Mitigation - T1032
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1032 |
Custom Cryptographic Protocol Mitigation - T1024
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Since the custom protocol used may not adhere to typical protocol standards, there may be opportunities to signature the traffic on a network level for detection. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID a569295c-a093-4db4-9fb4-7105edef85ad
which can be used as unique global reference for Custom Cryptographic Protocol Mitigation - T1024
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1024 |
System Information Discovery Mitigation - T1082
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID c620e3a1-fff5-424f-abea-d2b0f3616f67
which can be used as unique global reference for System Information Discovery Mitigation - T1082
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1082 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1082 |
Windows Remote Management Mitigation - T1028
Disable the WinRM service. If the service is necessary, lock down critical enclaves with separate WinRM infrastructure, accounts, and permissions. Follow WinRM best practices on configuration of authentication methods and use of host firewalls to restrict WinRM access to allow communication only to/from specific devices. (Citation: NSA Spotting)
Internal MISP references
UUID 3e9f8875-d2f7-4380-a578-84393bd3b025
which can be used as unique global reference for Windows Remote Management Mitigation - T1028
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1028 |
Commonly Used Port Mitigation - T1043
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID 7c1796c7-9fc3-4c3e-9416-527295bf5d95
which can be used as unique global reference for Commonly Used Port Mitigation - T1043
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1043 |
Security Software Discovery Mitigation - T1063
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about local security software, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID bd2554b8-634f-4434-a986-9b49c29da2ae
which can be used as unique global reference for Security Software Discovery Mitigation - T1063
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1063 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1063 |
Network Service Scanning Mitigation - T1046
Use network intrusion detection/prevention systems to detect and prevent remote service scans. Ensure that unnecessary ports and services are closed and proper network segmentation is followed to protect critical servers and devices.
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services running on remote systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID d256cb63-b021-4b4a-bb6d-1b42eea179a3
which can be used as unique global reference for Network Service Scanning Mitigation - T1046
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1046 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1046 |
Application Isolation and Sandboxing - M1048
Restrict execution of code to a virtual environment on or in transit to an endpoint system.
Internal MISP references
UUID b9f0c069-abbe-4a07-a245-2481219a1463
which can be used as unique global reference for Application Isolation and Sandboxing - M1048
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1048 |
Related clusters
To see the related clusters, click here.
Inhibit System Recovery Mitigation - T1490
Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery.
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID bb25b897-bfc7-4128-839d-52e9764dbfa6
which can be used as unique global reference for Inhibit System Recovery Mitigation - T1490
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1490 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
- https://www.ready.gov/business/implementation/IT - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1490 |
Uncommonly Used Port Mitigation - T1065
Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports.
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID a0d8db1d-a731-4428-8209-c07175f4b1fe
which can be used as unique global reference for Uncommonly Used Port Mitigation - T1065
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1065 |
Pass the Hash Mitigation - T1075
Monitor systems and domain logs for unusual credential logon activity. Prevent access to Valid Accounts. Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.
Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons. (Citation: GitHub IAD Secure Host Baseline UAC Filtering)
Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems. Ensure that built-in and created local administrator accounts have complex, unique passwords. Do not allow a domain user to be in the local administrator group on multiple systems.
Internal MISP references
UUID bcee7b05-89a6-41a5-b7aa-fce4da7ede9e
which can be used as unique global reference for Pass the Hash Mitigation - T1075
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1075 |
Remote Desktop Protocol Mitigation - T1076
Disable the RDP service if it is unnecessary, remove unnecessary accounts and groups from Remote Desktop Users groups, and enable firewall rules to block RDP traffic between network security zones. Audit the Remote Desktop Users group membership regularly. Remove the local Administrators group from the list of groups allowed to log in through RDP. Limit remote user permissions if remote access is necessary. Use remote desktop gateways and multifactor authentication for remote logins. (Citation: Berkley Secure) Do not leave RDP accessible from the internet. Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server. (Citation: Windows RDP Sessions)
Internal MISP references
UUID 53b3b027-bed3-480c-9101-1247047d0fe6
which can be used as unique global reference for Remote Desktop Protocol Mitigation - T1076
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1076 |
NTFS File Attributes Mitigation - T1096
It may be difficult or inadvisable to block access to EA and ADSs. (Citation: Microsoft ADS Mar 2014) (Citation: Symantec ADS May 2009) Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to hide information in EA and ADSs by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded. (Citation: InsiderThreat NTFS EA Oct 2017)
Internal MISP references
UUID ac008435-af58-4f77-988a-c9b96c5920f5
which can be used as unique global reference for NTFS File Attributes Mitigation - T1096
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1096 - webarchive
- https://blog.stealthbits.com/attack-step-3-persistence-ntfs-extended-attributes-file-system-attacks - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
- https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1096 |
Permission Groups Discovery Mitigation - T1069
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID dd9a85ad-6a92-4986-a215-b01d0ce7b987
which can be used as unique global reference for Permission Groups Discovery Mitigation - T1069
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1069 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1069 |
Windows Admin Shares Mitigation - T1077
Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.
Identify unnecessary system utilities or potentially malicious software that may be used to leverage SMB and the Windows admin shares, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 308855d1-078b-47ad-8d2a-8f9b2713ffb5
which can be used as unique global reference for Windows Admin Shares Mitigation - T1077
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1077 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1077 |
Pass the Ticket Mitigation - T1097
Monitor domains for unusual credential logons. Limit credential overlap across systems to prevent the damage of credential compromise. Ensure that local administrator accounts have complex, unique passwords. Do not allow a user to be a local administrator for multiple systems. Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts. (Citation: ADSecurity AD Kerberos Attacks)
For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. (Citation: CERT-EU Golden Ticket Protection)
Attempt to identify and block unknown or malicious software that could be used to obtain Kerberos tickets and use them to authenticate by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 3a476d83-43eb-4fad-9b75-b1febd834e3d
which can be used as unique global reference for Pass the Ticket Mitigation - T1097
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://adsecurity.org/?p=556 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1097 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1097 |
Disabling Security Tools Mitigation - T1089
Ensure proper process, registry, and file permissions are in place to prevent adversaries from disabling or interfering with security services.
Internal MISP references
UUID 388606d3-f38f-45bf-885d-a9dc9df3c8a8
which can be used as unique global reference for Disabling Security Tools Mitigation - T1089
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1089 |
Space after Filename Mitigation - T1151
Prevent files from having a trailing space after the extension.
Internal MISP references
UUID 02f0f92a-0a51-4c94-9bda-6437b9a93f22
which can be used as unique global reference for Space after Filename Mitigation - T1151
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1151 |
Credentials in Registry Mitigation - T1214
Do not store credentials within the Registry. Proactively search for credentials within Registry keys and attempt to remediate the risk. If necessary software must store credentials, then ensure those accounts have limited permissions so they cannot be abused if obtained by an adversary.
Internal MISP references
UUID 4490fee2-5c70-4db3-8db5-8d88767dbd55
which can be used as unique global reference for Credentials in Registry Mitigation - T1214
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1214 |
System Time Discovery Mitigation - T1124
Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.
Identify unnecessary system utilities or potentially malicious software that may be used to acquire system time information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 82d8e990-c901-4aed-8596-cc002e7eb307
which can be used as unique global reference for System Time Discovery Mitigation - T1124
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1124 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1124 |
Browser Bookmark Discovery Mitigation - T1217
File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. For example, mitigating accesses to browser bookmark files will likely have unintended side effects such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 1c0b39f9-a0c5-42b2-abd8-dc8f1eb74e67
which can be used as unique global reference for Browser Bookmark Discovery Mitigation - T1217
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1217 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1217 |
Netsh Helper DLL Mitigation - T1128
Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by Windows utilities like AppLocker. (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker)
Internal MISP references
UUID 624d063d-cda8-4616-b4e4-54c04e427aec
which can be used as unique global reference for Netsh Helper DLL Mitigation - T1128
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1128 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1128 |
Remote Access Tools Mitigation - T1219
Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access tools.
Network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to these services as well.
Use application whitelisting to mitigate use of and installation of unapproved software.
Internal MISP references
UUID af093bc8-7b59-4e2a-9da8-8e839b4c50c6
which can be used as unique global reference for Remote Access Tools Mitigation - T1219
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1219 |
External Remote Services Mitigation - T1133
Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Disable or block remotely available services such as Windows Remote Management. Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of Multi-Factor Authentication Interception techniques for some two-factor authentication implementations.
Internal MISP references
UUID d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2
which can be used as unique global reference for External Remote Services Mitigation - T1133
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1133 |
Access Token Manipulation Mitigation - T1134
Access tokens are an integral part of the security system within Windows and cannot be turned off. However, an attacker must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require to do their job.
Any user can also spoof access tokens if they have legitimate credentials. Follow mitigation guidelines for preventing adversary use of Valid Accounts. Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. (Citation: Microsoft Create Token) Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. (Citation: Microsoft Replace Process Token)
Also limit opportunities for adversaries to increase privileges by limiting Privilege Escalation opportunities.
Internal MISP references
UUID c61fee9f-16fb-4f8c-bbf0-869093fcd4a6
which can be used as unique global reference for Access Token Manipulation Mitigation - T1134
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1134 |
Network Share Discovery Mitigation - T1135
Identify unnecessary system utilities or potentially malicious software that may be used to acquire network share information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 1f34230d-b6ae-4dc7-8599-78c18820bd21
which can be used as unique global reference for Network Share Discovery Mitigation - T1135
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1135 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1135 |
Dynamic Data Exchange Mitigation - T1173
Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. (Citation: Microsoft DDE Advisory Nov 2017) (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: GitHub Disable DDEAUTO Oct 2017) Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel. (Citation: Microsoft ADV170021 Dec 2017)
Ensure Protected View is enabled (Citation: Microsoft Protected View) and consider disabling embedded files in Office programs, such as OneNote, not enrolled in Protected View. (Citation: Enigma Reviving DDE Jan 2018) (Citation: GitHub Disable DDEAUTO Oct 2017)
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs. (Citation: Microsoft ASR Nov 2017) (Citation: Enigma Reviving DDE Jan 2018)
Internal MISP references
UUID 80c91478-ac87-434f-bee7-11f37aec4d74
which can be used as unique global reference for Dynamic Data Exchange Mitigation - T1173
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/mitigations/T1173 - webarchive
- https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction - webarchive
- https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b - webarchive
- https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021 - webarchive
- https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee - webarchive
- https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653 - webarchive
- https://technet.microsoft.com/library/security/4053440 - webarchive
- https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1173 |
Clear Command History Mitigation - T1146
Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history
files. Additionally, making these environment variables readonly can make sure that the history is preserved (Citation: Securing bash history).
Internal MISP references
UUID 3e7018e9-7389-48e7-9208-0bdbcbba9483
which can be used as unique global reference for Clear Command History Mitigation - T1146
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1146 |
Password Filter DLL Mitigation - T1174
Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\
by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
. (Citation: Microsoft Install Password Filter n.d)
Internal MISP references
UUID 00d7d21b-69d6-4797-88a2-c86f3fc97651
which can be used as unique global reference for Password Filter DLL Mitigation - T1174
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1174 |
Spearphishing via Service Mitigation - T1194
Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
Because this technique involves use of legitimate services and user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. To prevent the downloads from executing, application whitelisting can be used. Anti-virus can also automatically quarantine suspicious files.
Internal MISP references
UUID c861bcb1-946f-450d-ab75-d4e3c1103a56
which can be used as unique global reference for Spearphishing via Service Mitigation - T1194
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1194 |
Supply Chain Compromise Mitigation - T1195
Apply supply chain risk management (SCRM) practices and procedures (Citation: MITRE SE Guide 2014), such as supply chain analysis and appropriate risk management, throughout the life-cycle of a system.
Leverage established software development lifecycle (SDLC) practices (Citation: NIST Supply Chain 2012):
- Uniquely Identify Supply Chain Elements, Processes, and Actors
- Limit Access and Exposure within the Supply Chain
- Establish and Maintain the Provenance of Elements, Processes, Tools, and Data
- Share Information within Strict Limits
- Perform SCRM Awareness and Training
- Use Defensive Design for Systems, Elements, and Processes
- Perform Continuous Integrator Review
- Strengthen Delivery Mechanisms
- Assure Sustainment Activities and Processes
- Manage Disposal and Final Disposition Activities throughout the System or Element Life Cycle
A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well. (Citation: OWASP Top 10 2017)
Internal MISP references
UUID 97d8eadb-0459-4c1d-bf1a-e053bd75df61
which can be used as unique global reference for Supply Chain Compromise Mitigation - T1195
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1195 |
Setuid and Setgid Mitigation - T1166
Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system.
Internal MISP references
UUID 073cc04d-ac46-4f5a-85d7-83a91ecd6a19
which can be used as unique global reference for Setuid and Setgid Mitigation - T1166
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1166 |
Local Job Scheduling Mitigation - T1168
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized users can create scheduled jobs. Identify and block unnecessary system utilities or potentially malicious software that may be used to schedule jobs using whitelisting tools.
Internal MISP references
UUID c47a9b55-8f61-4b82-b833-1db6242c754e
which can be used as unique global reference for Local Job Scheduling Mitigation - T1168
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1168 |
Control Panel Items Mitigation - T1196
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific Windows API calls and/or execution of particular file extensions will likely have unintended side effects, such as preventing legitimate software (i.e., drivers and configuration tools) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.
Restrict storage and execution of Control Panel items to protected directories, such as C:\Windows
, rather than user directories.
Index known safe Control Panel items and block potentially malicious software using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown executable files.
Consider fully enabling User Account Control (UAC) to impede system-wide changes from illegitimate administrators. (Citation: Microsoft UAC)
Internal MISP references
UUID 3a41b366-cfd6-4af2-a6e7-3c6e3c4ebcef
which can be used as unique global reference for Control Panel Items Mitigation - T1196
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1196 - webarchive
- https://msdn.microsoft.com/library/windows/desktop/dn742497.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1196 |
Compiled HTML File Mitigation - T1223
Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files. (Citation: PaloAlto Preventing Opportunistic Attacks Apr 2016) Also consider using application whitelisting to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.
Internal MISP references
UUID 08e02f67-ea09-4f77-a70b-414963c29fc2
which can be used as unique global reference for Compiled HTML File Mitigation - T1223
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1223 |
Domain Trust Discovery Mitigation - T1482
Map the trusts within existing domains/forests and keep trust relationships to a minimum. Employ network segmentation for sensitive domains.(Citation: Harmj0y Domain Trusts)
Internal MISP references
UUID 159b4ee4-8fa1-44a5-b095-2973f3c7e25e
which can be used as unique global reference for Domain Trust Discovery Mitigation - T1482
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1482 |
Stored Data Manipulation Mitigation - T1492
Identify critical business and system processes that may be targeted by adversaries and work to secure the data related to those processes against tampering. Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. Consider encrypting important information to reduce an adversaries ability to perform tailor data modifications. Where applicable, examine using file monitoring software to check integrity on important files and directories as well as take corrective actions when unauthorized changes are detected.
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.
Internal MISP references
UUID e9362d25-4427-446b-99e8-b8f0c3b86615
which can be used as unique global reference for Stored Data Manipulation Mitigation - T1492
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1492 |
Domain Generation Algorithms Mitigation - T1483
This technique may be difficult to mitigate since the domains can be registered just before they are used, and disposed shortly after. Malware researchers can reverse-engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA Brute Force) Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.(Citation: Akamai DGA Mitigation) Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost. In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID 3bd2cf87-1ceb-4317-9aee-3e7dc713261b
which can be used as unique global reference for Domain Generation Algorithms Mitigation - T1483
in MISP communities and other software using the MISP galaxy
External references
- http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf - webarchive
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
- https://attack.mitre.org/mitigations/T1483 - webarchive
- https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html - webarchive
- https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1483 |
Transmitted Data Manipulation Mitigation - T1493
Identify critical business and system processes that may be targeted by adversaries and work to secure communications related to those processes against tampering. Encrypt all important data flows to reduce the impact of tailored modifications on data in transit.
Internal MISP references
UUID 245075bc-f992-4d89-af8c-834c53d403f4
which can be used as unique global reference for Transmitted Data Manipulation Mitigation - T1493
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1493 |
Runtime Data Manipulation Mitigation - T1494
Identify critical business and system processes that may be targeted by adversaries and work to secure those systems against tampering. Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code. Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 337172b1-b003-4034-8a3f-1d89a71da628
which can be used as unique global reference for Runtime Data Manipulation Mitigation - T1494
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1494 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1494 |
LLMNR/NBT-NS Poisoning Mitigation - T1171
Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. (Citation: ADSecurity Windows Secure Baseline)
Use host-based security software to block LLMNR/NetBIOS traffic. Enabling SMB Signing can stop NTLMv2 relay attacks.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)(Citation: Microsoft SMB Packet Signing)
Internal MISP references
UUID 54246e2e-683f-4bf2-be4c-d7d5a60e7d22
which can be used as unique global reference for LLMNR/NBT-NS Poisoning Mitigation - T1171
in MISP communities and other software using the MISP galaxy
External references
- https://adsecurity.org/?p=3299 - webarchive
- https://attack.mitre.org/mitigations/T1171 - webarchive
- https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html - webarchive
- https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html - webarchive
- https://docs.microsoft.com/en-us/previous-versions/system-center/operations-manager-2005/cc180803(v=technet.10) - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1171 |
Restrict Web-Based Content - M1021
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.
Internal MISP references
UUID 21da4fd4-27ad-4e9c-b93d-0b9b14d02c96
which can be used as unique global reference for Restrict Web-Based Content - M1021
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1021 |
Related clusters
To see the related clusters, click here.
Multi-Stage Channels Mitigation - T1104
Command and control infrastructure used in a multi-stage channel may be blocked if known ahead of time. If unique signatures are present in the C2 traffic, they could also be used as the basis of identifying and blocking the channel. (Citation: University of Birmingham C2)
Internal MISP references
UUID 514e7371-a344-4de7-8ec3-3aa42b801d52
which can be used as unique global reference for Multi-Stage Channels Mitigation - T1104
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1104 |
Third-party Software Mitigation - T1072
Evaluate the security of third-party software that could be used in the enterprise environment. Ensure that access to management systems for third-party systems is limited, monitored, and secure. Have a strict approval policy for use of third-party systems.
Grant access to Third-party systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multi-factor authentication. Verify that account credentials that may be used to access third-party systems are unique and not used throughout the enterprise network. Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure third-party systems are regularly patched by users or the provider to prevent potential remote access through Exploitation for Privilege Escalation.
Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required.
Where the third-party system is used for deployment services, ensure that it can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the third-party system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.
Internal MISP references
UUID 160af6af-e733-4b6a-a04a-71c620ac0930
which can be used as unique global reference for Third-party Software Mitigation - T1072
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1072 |
DLL Side-Loading Mitigation - T1073
Update software regularly. Install software in write-protected locations. Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.
Internal MISP references
UUID 7a14d974-f3d9-4e4e-9b7d-980385762908
which can be used as unique global reference for DLL Side-Loading Mitigation - T1073
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1073 |
Re-opened Applications Mitigation - T1164
Holding the Shift key while logging in prevents apps from opening automatically (Citation: Re-Open windows on Mac). This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no
.
Internal MISP references
UUID 61d02387-351a-453e-a575-160a9abc3e04
which can be used as unique global reference for Re-opened Applications Mitigation - T1164
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1164 |
SID-History Injection Mitigation - T1178
Clean up SID-History attributes after legitimate account migration is complete.
Consider applying SID Filtering to interforest trusts, such as forest trusts and external trusts, to exclude SID-History from requests to access domain resources. SID Filtering ensures that any authentication requests over a trust only contain SIDs of security principals from the trusted domain (i.e. preventing the trusted domain from claiming a user has membership in groups outside of the domain).
SID Filtering of forest trusts is enabled by default, but may have been disabled in some cases to allow a child domain to transitively access forest trusts. SID Filtering of external trusts is automatically enabled on all created external trusts using Server 2003 or later domain controllers. (Citation: Microsoft Trust Considerations Nov 2014) (Citation: Microsoft SID Filtering Quarantining Jan 2009) However note that SID Filtering is not automatically applied to legacy trusts or may have been deliberately disabled to allow inter-domain access to resources.
SID Filtering can be applied by: (Citation: Microsoft Netdom Trust Sept 2012)
- Disabling SIDHistory on forest trusts using the netdom tool (
netdom trust
on the domain controller)./domain: /EnableSIDHistory:no - Applying SID Filter Quarantining to external trusts using the netdom tool (
netdom trust
on the domain controller) Applying SID Filtering to domain trusts within a single forest is not recommended as it is an unsupported configuration and can cause breaking changes. (Citation: Microsoft Netdom Trust Sept 2012) (Citation: AdSecurity Kerberos GT Aug 2015) If a domain within a forest is untrustworthy then it should not be a member of the forest. In this situation it is necessary to first split the trusted and untrusted domains into separate forests where SID Filtering can be applied to an interforest trust./domain: /quarantine:yes
Internal MISP references
UUID b91c2f9e-c1a0-44df-95f0-9e7c9d1d5e55
which can be used as unique global reference for SID-History Injection Mitigation - T1178
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1178 |
Multi-hop Proxy Mitigation - T1188
Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network black and white lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting.
Internal MISP references
UUID 752db800-ea54-4e7a-b4c1-2a0292350ea7
which can be used as unique global reference for Multi-hop Proxy Mitigation - T1188
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1188 |
Drive-by Compromise Mitigation - T1189
Drive-by compromise relies on there being a vulnerable piece of software on the client end systems. Use modern browsers with security features turned on. Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique.
For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. Script blocking extensions can help prevent the execution of JavaScript that may commonly be used during the exploitation process.
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)
Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility.
Internal MISP references
UUID 7a4d0054-53cd-476f-88af-955dddc80ee0
which can be used as unique global reference for Drive-by Compromise Mitigation - T1189
in MISP communities and other software using the MISP galaxy
External references
- https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/ - webarchive
- https://attack.mitre.org/mitigations/T1189 - webarchive
- https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/ - webarchive
- https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/ - webarchive
- https://en.wikipedia.org/wiki/Control-flow_integrity - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1189 |
Data Obfuscation Mitigation - T1001
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e
which can be used as unique global reference for Data Obfuscation Mitigation - T1001
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1001 |
Web Shell Mitigation - T1100
Ensure that externally facing Web servers are patched regularly to prevent adversary access through Exploitation for Privilege Escalation to gain remote code access or through file inclusion weaknesses that may allow adversaries to upload files or scripts that are automatically served as Web pages.
Audit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network. (Citation: US-CERT Alert TA15-314A Web Shells)
Internal MISP references
UUID bcc91b8c-f104-4710-964e-1d5409666736
which can be used as unique global reference for Web Shell Mitigation - T1100
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1100 |
Automated Exfiltration Mitigation - T1020
Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 2497ac92-e751-4391-82c6-1b86e34d0294
which can be used as unique global reference for Automated Exfiltration Mitigation - T1020
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1020 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1020 |
Hardware Additions Mitigation - T1200
Establish network access control policies, such as using device certificates and the 802.1x standard. (Citation: Wikipedia 802.1x) Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.
Block unknown devices and accessories by endpoint security configuration and monitoring agent.
Internal MISP references
UUID 54e8722d-2faf-4b1b-93b6-6cbf9551669f
which can be used as unique global reference for Hardware Additions Mitigation - T1200
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1200 |
Data Compressed Mitigation - T1002
Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to compress files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
If network intrusion prevention or data loss prevention tools are set to block specific file types from leaving the network over unencrypted channels, then an adversary may move to an encrypted channel.
Internal MISP references
UUID 28adf6fd-ab6c-4553-9aa7-cef18a191f33
which can be used as unique global reference for Data Compressed Mitigation - T1002
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1002 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1002 |
Credential Dumping Mitigation - T1003
Windows
Monitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using Valid Accounts if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)
On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. (Citation: Microsoft LSA)
Identify and block potentially malicious software that may be used to dump credentials by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. (Citation: TechNet Credential Guard) It also does not protect against all forms of credential dumping. (Citation: GitHub SHB Credential Guard)
Manage the access control list for “Replicating Directory Changes” and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL)
Consider disabling or restricting NTLM traffic. (Citation: Microsoft Disable NTLM Nov 2012)
Linux
Scraping the passwords from memory requires root privileges. Follow best practices in restricting access to escalated privileges to avoid hostile programs from accessing such sensitive regions of memory.
Internal MISP references
UUID aeff5887-8f9e-48d5-a523-9b395e2ce80a
which can be used as unique global reference for Credential Dumping Mitigation - T1003
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://adsecurity.org/?p=1729 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1003 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach - webarchive
- https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard - webarchive
- https://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr - webarchive
- https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard - webarchive
- https://technet.microsoft.com/en-us/library/dn408187.aspx - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
- https://technet.microsoft.com/library/jj865668.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1003 |
System Partition Integrity - M1004
Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.
Internal MISP references
UUID 7b1cf46f-784b-405a-a8dd-4624c19d8321
which can be used as unique global reference for System Partition Integrity - M1004
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1004 |
Related clusters
To see the related clusters, click here.
Network Sniffing Mitigation - T1040
Ensure that all wireless traffic is encrypted appropriately. Use Kerberos, SSL, and multifactor authentication wherever possible. Monitor switches and network for span port usage, ARP/DNS poisoning, and router reconfiguration.
Identify and block potentially malicious software that may be used to sniff or analyze network traffic by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4
which can be used as unique global reference for Network Sniffing Mitigation - T1040
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1040 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1040 |
New Service Mitigation - T1050
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new services.
Identify and block unnecessary system utilities or potentially malicious software that may be used to create services by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID b7b2c89c-09c1-4b71-ae7c-000ec2893aab
which can be used as unique global reference for New Service Mitigation - T1050
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1050 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1050 |
Fallback Channels Mitigation - T1008
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID 515f6584-fa98-44fe-a4e8-e428c7188514
which can be used as unique global reference for Fallback Channels Mitigation - T1008
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1008 |
Binary Padding Mitigation - T1009
Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 16a8ac85-a06f-460f-ad22-910167bd7332
which can be used as unique global reference for Binary Padding Mitigation - T1009
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1009 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1009 |
Encrypt Network Traffic - M1009
Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.
iOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.
Android's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).
Use of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.
Internal MISP references
UUID 8220b57e-c400-4525-bf69-f8edc6b389a8
which can be used as unique global reference for Encrypt Network Traffic - M1009
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1009 |
Related clusters
To see the related clusters, click here.
Brute Force Mitigation - T1110
Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy can create a denial of service condition and render environments un-usable, with all accounts being locked-out permanently. Use multifactor authentication. Follow best practices for mitigating access to Valid Accounts
Refer to NIST guidelines when creating passwords.(Citation: NIST 800-63-3)
Where possible, also enable multi factor authentication on external facing services.
Internal MISP references
UUID 4a99fecc-680b-448e-8fe7-8144c60d272c
which can be used as unique global reference for Brute Force Mitigation - T1110
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1110 |
Query Registry Mitigation - T1012
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 0640214c-95af-4c04-a574-2a1ba6dda00b
which can be used as unique global reference for Query Registry Mitigation - T1012
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1012 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1012 |
Web Service Mitigation - T1102
Firewalls and Web proxies can be used to enforce external network communication policy. It may be difficult for an organization to block particular services because so many of them are commonly used during the course of business.
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol or encoded commands used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID 4689b9fb-dca4-473e-831b-34717ad50c97
which can be used as unique global reference for Web Service Mitigation - T1102
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1102 |
Application Developer Guidance - M1013
This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.
Internal MISP references
UUID 25dc1ce8-eb55-4333-ae30-a7cb4f5894a1
which can be used as unique global reference for Application Developer Guidance - M1013
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1013 |
Related clusters
To see the related clusters, click here.
AppInit DLLs Mitigation - T1103
Upgrade to Windows 8 or later and enable secure boot.
Identify and block potentially malicious software that may be executed through AppInit DLLs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.
Internal MISP references
UUID 10571bf2-8073-4edf-a71c-23bad225532e
which can be used as unique global reference for AppInit DLLs Mitigation - T1103
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1103 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1103 |
Network Intrusion Prevention - M1031
Use intrusion detection signatures to block traffic at network boundaries.
Internal MISP references
UUID 12241367-a8b7-49b4-b86e-2236901ba50c
which can be used as unique global reference for Network Intrusion Prevention - M1031
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1031 |
Related clusters
To see the related clusters, click here.
Port Monitors Mitigation - T1013
Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.
Internal MISP references
UUID 1c6bc7f3-d517-4971-aed4-8f939090846b
which can be used as unique global reference for Port Monitors Mitigation - T1013
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1013 |
Encrypt Sensitive Information - M1041
Protect sensitive information with strong encryption.
Internal MISP references
UUID feff9142-e8c2-46f4-842b-bd6fb3d41157
which can be used as unique global reference for Encrypt Sensitive Information - M1041
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1041 |
Related clusters
To see the related clusters, click here.
Active Directory Configuration - M1015
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.
Internal MISP references
UUID e3388c78-2a8d-47c2-8422-c1398b324462
which can be used as unique global reference for Active Directory Configuration - M1015
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1015 |
Related clusters
To see the related clusters, click here.
Accessibility Features Mitigation - T1015
To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later. (Citation: TechNet RDP NLA)
If possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network. (Citation: TechNet RDP Gateway)
Identify and block potentially malicious software that may be executed by an adversary with this technique by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID c085476e-1964-4d7f-86e1-d8657a7741e8
which can be used as unique global reference for Accessibility Features Mitigation - T1015
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1015 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/cc731150.aspx - webarchive
- https://technet.microsoft.com/en-us/library/cc732713.aspx - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1015 |
Plist Modification Mitigation - T1150
Prevent plist files from being modified by users by making them read-only.
Internal MISP references
UUID 2d704e56-e689-4011-b989-bf4e025a8727
which can be used as unique global reference for Plist Modification Mitigation - T1150
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1150 |
Systemd Service Mitigation - T1501
The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. Limit user access to system utilities such as systemctl to only users who have a legitimate need. Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. Additionally, the installation of software commonly adds and changes systemd service unit files. Restrict software installation to trusted repositories only and be cautious of orphaned software packages. Utilize malicious code protection and application whitelisting to mitigate the ability of malware to create or modify systemd services.
Internal MISP references
UUID 83130e62-bca6-4a81-bd4b-8e233bd49db6
which can be used as unique global reference for Systemd Service Mitigation - T1501
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1501 |
Shared Webroot Mitigation - T1051
Networks that allow for open development and testing of Web content and allow users to set up their own Web servers on the enterprise network may be particularly vulnerable if the systems and Web servers are not properly secured to limit privileged account use, unauthenticated network share access, and network/system isolation.
Ensure proper permissions on directories that are accessible through a Web server. Disallow remote access to the webroot or other directories used to serve Web content. Disable execution on directories within the webroot. Ensure that permissions of the Web server process are only what is required by not using built-in accounts; instead, create specific accounts to limit unnecessary access or permissions overlap across multiple systems. (Citation: acunetix Server Secuirty) (Citation: NIST Server Security July 2008)
Internal MISP references
UUID 43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5
which can be used as unique global reference for Shared Webroot Mitigation - T1051
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1051 |
Launch Daemon Mitigation - T1160
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.
Internal MISP references
UUID 402e92cd-5608-4f4b-9a34-a2c962e4bcd7
which can be used as unique global reference for Launch Daemon Mitigation - T1160
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1160 |
File Deletion Mitigation - T1107
Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 34efb2fd-4dc2-40d4-a564-0c147c85034d
which can be used as unique global reference for File Deletion Mitigation - T1107
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1107 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1107 |
User Account Management - M1018
Manage the creation, modification, use, and permissions associated to user accounts.
Internal MISP references
UUID 93e7968a-9074-4eac-8ae9-9f5200ec3317
which can be used as unique global reference for User Account Management - M1018
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1018 |
Related clusters
To see the related clusters, click here.
Redundant Access Mitigation - T1108
Identify and block potentially malicious software that may be used as a remote access tool, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID f9b3e5d9-7454-4b7d-bce6-27620e19924e
which can be used as unique global reference for Redundant Access Mitigation - T1108
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
- https://attack.mitre.org/mitigations/T1108 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1108 |
Component Firmware Mitigation - T1109
Prevent adversary access to privileged accounts or access necessary to perform this technique.
Consider removing and replacing system components suspected of being compromised.
Internal MISP references
UUID 676975b9-7e8e-463d-a31e-4ed2ecbfed81
which can be used as unique global reference for Component Firmware Mitigation - T1109
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1109 |
System Firmware Mitigation - T1019
Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Patch the BIOS and EFI as necessary. Use Trusted Platform Module technology. (Citation: TCG Trusted Platform Module)
Internal MISP references
UUID 25e53928-6f33-49b7-baee-8180578286f6
which can be used as unique global reference for System Firmware Mitigation - T1019
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1019 |
Threat Intelligence Program - M1019
A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.
Internal MISP references
UUID 874c0166-e407-45c2-a1d9-e4e3a6570fd8
which can be used as unique global reference for Threat Intelligence Program - M1019
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1019 |
Related clusters
To see the related clusters, click here.
Data Encrypted Mitigation - T1022
Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 2a8de25c-f743-4348-b101-3ee33ab5871b
which can be used as unique global reference for Data Encrypted Mitigation - T1022
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1022 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1022 |
Shortcut Modification Mitigation - T1023
Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. (Citation: UCF STIG Symbolic Links)
Identify and block unknown, potentially malicious software that may be executed through shortcut modification by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID a13e35cc-8c90-4d77-a965-5461042c1612
which can be used as unique global reference for Shortcut Modification Mitigation - T1023
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1023 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
- https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1023 |
User Execution Mitigation - T1204
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. Application whitelisting may be able to prevent the running of executables masquerading as other files.
If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .lnk, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and RAR that may be used to conceal malicious files in Obfuscated Files or Information.
If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct files in a way to avoid these systems.
Internal MISP references
UUID 548bf7ad-e19c-4d74-84bf-84ac4e57f505
which can be used as unique global reference for User Execution Mitigation - T1204
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1204 |
Restrict Registry Permissions - M1024
Restrict the ability to modify certain hives or keys in the Windows Registry.
Internal MISP references
UUID a2c36a5d-4058-475e-8e77-fff75e50d3b9
which can be used as unique global reference for Restrict Registry Permissions - M1024
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1024 |
Related clusters
To see the related clusters, click here.
User Account Control - M1052
Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.
Internal MISP references
UUID 2c2ad92a-d710-41ab-a996-1db143bb4808
which can be used as unique global reference for User Account Control - M1052
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1052 |
Related clusters
To see the related clusters, click here.
Privileged Process Integrity - M1025
Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.
Internal MISP references
UUID 72dade3e-1cba-4182-b3b3-a77ca52f02a1
which can be used as unique global reference for Privileged Process Integrity - M1025
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1025 |
Related clusters
To see the related clusters, click here.
Port Knocking Mitigation - T1205
Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.
Internal MISP references
UUID f6b7c116-0821-4eb7-9b24-62bd09b3e575
which can be used as unique global reference for Port Knocking Mitigation - T1205
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1205 |
Privileged Account Management - M1026
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
Internal MISP references
UUID 9bb9e696-bff8-4ae1-9454-961fc7d91d5f
which can be used as unique global reference for Privileged Account Management - M1026
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1026 |
Related clusters
To see the related clusters, click here.
Multiband Communication Mitigation - T1026
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID da987565-27b6-4b31-bbcd-74b909847116
which can be used as unique global reference for Multiband Communication Mitigation - T1026
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1026 |
Sudo Caching Mitigation - T1206
Setting the timestamp_timeout
to 0 will require the user to input their password every time sudo
is executed. Similarly, ensuring that the tty_tickets
setting is enabled will prevent this leakage across tty sessions.
Internal MISP references
UUID dbf0186e-722d-4a0a-af6a-b3460f162f84
which can be used as unique global reference for Sudo Caching Mitigation - T1206
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1206 |
Operating System Configuration - M1028
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
Internal MISP references
UUID 2f316f6c-ae42-44fe-adf8-150989e0f6d3
which can be used as unique global reference for Operating System Configuration - M1028
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1028 |
Related clusters
To see the related clusters, click here.
Remote Data Storage - M1029
Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.
Internal MISP references
UUID 20a2baeb-98c2-4901-bad7-dc62d0a03dea
which can be used as unique global reference for Remote Data Storage - M1029
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1029 |
Related clusters
To see the related clusters, click here.
Time Providers Mitigation - T1209
Identify and block potentially malicious software that may be executed as a time provider by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.
Consider using Group Policy to configure and block subsequent modifications to W32Time parameters. (Citation: Microsoft W32Time May 2017)
Internal MISP references
UUID a1482e43-f3ff-4fbd-94de-ad1244738166
which can be used as unique global reference for Time Providers Mitigation - T1209
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1209 - webarchive
- https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1209 |
Scheduled Transfer Mitigation - T1029
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID 1c0711c8-2a73-48a1-893d-ff88bcd23824
which can be used as unique global reference for Scheduled Transfer Mitigation - T1029
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1029 |
Limit Software Installation - M1033
Block users or groups from installing unapproved software.
Internal MISP references
UUID 23843cff-f7b9-4659-a7b7-713ef347f547
which can be used as unique global reference for Limit Software Installation - M1033
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1033 |
Related clusters
To see the related clusters, click here.
Credential Access Protection - M1043
Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.
Internal MISP references
UUID 49c06d54-9002-491d-9147-8efb537fbd26
which can be used as unique global reference for Credential Access Protection - M1043
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1043 |
Related clusters
To see the related clusters, click here.
Limit Hardware Installation - M1034
Block users or groups from installing or using unapproved hardware on systems, including USB devices.
Internal MISP references
UUID 2995bc22-2851-4345-ad19-4e7e295be264
which can be used as unique global reference for Limit Hardware Installation - M1034
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1034 |
Related clusters
To see the related clusters, click here.
Path Interception Mitigation - T1034
Eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them (Citation: Microsoft CreateProcess). Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate (Citation: MSDN DLL Security). Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries.
Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations (Citation: Kanthak Sentinel).
Require that all executables be placed in write-protected directories. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C:
and system directories, such as C:\Windows\
, to reduce places where malicious files could be placed for execution.
Identify and block potentially malicious software that may be executed through the path interception by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies, (Citation: Corio 2008) that are capable of auditing and/or blocking unknown executables.
Internal MISP references
UUID e0703d4f-3972-424a-8277-84004817e024
which can be used as unique global reference for Path Interception Mitigation - T1034
in MISP communities and other software using the MISP galaxy
External references
- http://msdn.microsoft.com/en-us/library/ms682425 - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1034 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://msdn.microsoft.com/en-us/library/ff919712.aspx - webarchive
- https://skanthak.homepage.t-online.de/sentinel.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1034 |
Service Execution Mitigation - T1035
Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level. Also ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.
Identify unnecessary system utilities or potentially malicious software that may be used to interact with Windows services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID d5dce4b9-f1fa-4c03-aff9-ce177246cb64
which can be used as unique global reference for Service Execution Mitigation - T1035
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1035 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1035 |
Scheduled Task Mitigation - T1053
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. (Citation: Powersploit)
Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl
. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. (Citation: TechNet Server Operator Scheduled Task)
Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. (Citation: TechNet Scheduling Priority)
Identify and block unnecessary system utilities or potentially malicious software that may be used to schedule tasks using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID f2cb6ce2-188d-4162-8feb-594f949b13dd
which can be used as unique global reference for Scheduled Task Mitigation - T1053
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1053 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://github.com/mattifestation/PowerSploit - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
- https://technet.microsoft.com/library/dn221960.aspx - webarchive
- https://technet.microsoft.com/library/jj852168.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1053 |
Account Use Policies - M1036
Configure features related to account use like login attempt lockouts, specific login times, etc.
Internal MISP references
UUID f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c
which can be used as unique global reference for Account Use Policies - M1036
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1036 |
Related clusters
To see the related clusters, click here.
Filter Network Traffic - M1037
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
Internal MISP references
UUID 20f6a9df-37c4-4e20-9e47-025983b1b39d
which can be used as unique global reference for Filter Network Traffic - M1037
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1037 |
Related clusters
To see the related clusters, click here.
Logon Scripts Mitigation - T1037
Restrict write access to logon scripts to specific administrators. Prevent access to administrator accounts by mitigating Credential Access techniques and limiting account access and permissions of Valid Accounts.
Identify and block potentially malicious software that may be executed through logon script modification by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.
Internal MISP references
UUID 9ab7de33-99b2-4d8d-8cf3-182fa0015cc2
which can be used as unique global reference for Logon Scripts Mitigation - T1037
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1037 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1037 |
Environment Variable Permissions - M1039
Prevent modification of environment variables by unauthorized users and groups.
Internal MISP references
UUID 609191bf-7d06-40e4-b1f8-9e11eb3ff8a6
which can be used as unique global reference for Environment Variable Permissions - M1039
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1039 |
Related clusters
To see the related clusters, click here.
Process Hollowing Mitigation - T1093
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.
Although process hollowing may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 7c39ebbf-244e-4d1c-b0ac-b282453ece43
which can be used as unique global reference for Process Hollowing Mitigation - T1093
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1093 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1093 |
Restrict Library Loading - M1044
Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.
Internal MISP references
UUID e8242a33-481c-4891-af63-4cf3e4cf6aff
which can be used as unique global reference for Restrict Library Loading - M1044
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1044 |
Related clusters
To see the related clusters, click here.
Indicator Blocking Mitigation - T1054
Ensure event tracers/forwarders (Citation: Microsoft ETW May 2018), firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls. Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.
Internal MISP references
UUID ec42d8be-f762-4127-80f4-f079ea6d7135
which can be used as unique global reference for Indicator Blocking Mitigation - T1054
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1054 |
Software Packing Mitigation - T1045
Ensure updated virus definitions. Create custom signatures for observed malware. Employ heuristic-based malware detection.
Identify and prevent execution of potentially malicious software that may have been packed by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID c95c8b5c-b431-43c9-9557-f494805e2502
which can be used as unique global reference for Software Packing Mitigation - T1045
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1045 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1045 |
Data Staged Mitigation - T1074
Identify system utilities, remote access or third-party tools, users or potentially malicious software that may be used to store compressed or encrypted data in a publicly writeable directory, central location, or commonly used staging directories (e.g. recycle bin) that is indicative of non-standard behavior, and audit and/or block them by using file integrity monitoring tools where appropriate. Consider applying data size limits or blocking file writes of common compression and encryption utilities such as 7zip, RAR, ZIP, or zlib on frequently used staging directories or central locations and monitor attempted violations of those restrictions.
Internal MISP references
UUID 4320b080-9ae9-4541-9b8b-bcd0961dbbbd
which can be used as unique global reference for Data Staged Mitigation - T1074
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1074 |
Environmental Keying Mitigation - T1480
This technique likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.
Internal MISP references
UUID c61e2da1-f51f-424c-b152-dc930d4f2e70
which can be used as unique global reference for Environmental Keying Mitigation - T1480
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1480 |
Do Not Mitigate - M1055
This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.
Internal MISP references
UUID 787fb64d-c87b-4ee5-a341-0ef17ec4c15c
which can be used as unique global reference for Do Not Mitigate - M1055
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1055 |
Related clusters
To see the related clusters, click here.
Data Loss Prevention - M1057
Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)
Internal MISP references
UUID 65401701-019d-44ff-b223-08d520bb0e7b
which can be used as unique global reference for Data Loss Prevention - M1057
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1057 |
Related clusters
To see the related clusters, click here.
Process Discovery Mitigation - T1057
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID f6469191-1814-4dbe-a081-2a6daf83a10b
which can be used as unique global reference for Process Discovery Mitigation - T1057
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1057 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1057 |
Do Not Mitigate - M1059
This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.
Internal MISP references
UUID 76a32151-5233-465f-a607-7e576c62c932
which can be used as unique global reference for Do Not Mitigate - M1059
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1059 |
Related clusters
To see the related clusters, click here.
Account Discovery Mitigation - T1087
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators
. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. (Citation: UCF STIG Elevation Account Enumeration)
Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 5c49bc54-9929-48ca-b581-7018219b5a97
which can be used as unique global reference for Account Discovery Mitigation - T1087
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1087 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
- https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1087 |
Valid Accounts Mitigation - T1078
Take measures to detect or prevent techniques such as OS Credential Dumping or installation of keyloggers to acquire credentials through Input Capture. Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems.
Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)
Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized.
Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: US-CERT Alert TA13-175A Risks of Default Passwords on the Internet) When possible, applications that use SSH keys should be updated periodically and properly secured.
Internal MISP references
UUID d45f03a8-790a-4f90-b956-cd7e5b8886bf
which can be used as unique global reference for Valid Accounts Mitigation - T1078
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/mitigations/T1078 - webarchive
- https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach - webarchive
- https://technet.microsoft.com/en-us/library/dn487450.aspx - webarchive
- https://technet.microsoft.com/en-us/library/dn535501.aspx - webarchive
- https://www.us-cert.gov/ncas/alerts/TA13-175A - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1078 |
Multilayer Encryption Mitigation - T1079
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often. (Citation: University of Birmingham C2)
Internal MISP references
UUID 24478001-2eb3-4b06-a02e-96b3d61d27ec
which can be used as unique global reference for Multilayer Encryption Mitigation - T1079
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1079 |
Modify Registry Mitigation - T1112
Misconfiguration of permissions in the Registry may lead to opportunities for an adversary to execute code, like through Service Registry Permissions Weakness. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.
Identify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID ed202147-4026-4330-b5bd-1e8dfa8cf7cc
which can be used as unique global reference for Modify Registry Mitigation - T1112
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1112 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1112 |
Authentication Package Mitigation - T1131
Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL
, which requires all DLLs loaded by LSA to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)
Internal MISP references
UUID 943d370b-2054-44df-8be2-ab4139bde1c5
which can be used as unique global reference for Authentication Package Mitigation - T1131
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1131 |
Screen Capture Mitigation - T1113
Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 51b37302-b844-4c08-ac98-ae6955ed1f55
which can be used as unique global reference for Screen Capture Mitigation - T1113
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1113 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1113 |
Email Collection Mitigation - T1114
Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.
Use of two-factor authentication for public-facing webmail servers is also a recommended best practice to minimize the usefulness of user names and passwords to adversaries.
Identify unnecessary system utilities or potentially malicious software that may be used to collect email data files or access the corporate email server, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 383caaa3-c46a-4f61-b2e3-653eb132f0e7
which can be used as unique global reference for Email Collection Mitigation - T1114
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1114 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1114 |
Input Prompt Mitigation - T1141
This technique exploits users' tendencies to always supply credentials when prompted, which makes it very difficult to mitigate. Use user training as a way to bring awareness and raise suspicion for potentially malicious events (ex: Office documents prompting for credentials).
Internal MISP references
UUID 8a61f6b9-6b7a-4cf2-8e08-f1e26434f6df
which can be used as unique global reference for Input Prompt Mitigation - T1141
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1141 |
Clipboard Data Mitigation - T1115
Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 19edfa02-1a5f-47e4-ad82-3288f57f64cf
which can be used as unique global reference for Clipboard Data Mitigation - T1115
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1115 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1115 |
LC_LOAD_DYLIB Addition Mitigation - T1161
Enforce that all binaries be signed by the correct Apple Developer IDs, and whitelist applications via known hashes. Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn’t included as part of an update, it should be investigated.
Internal MISP references
UUID 77fd4d73-6b79-4593-82e7-e4a439cc7604
which can be used as unique global reference for LC_LOAD_DYLIB Addition Mitigation - T1161
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1161 |
Code Signing Mitigation - T1116
Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system. (Citation: NSA MS AppLocker) (Citation: TechNet Trusted Publishers) (Citation: Securelist Digital Certificates)
Internal MISP references
UUID 82fbc58b-171d-4a2d-9a20-c6b2a716bd08
which can be used as unique global reference for Code Signing Mitigation - T1116
in MISP communities and other software using the MISP galaxy
External references
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1116 - webarchive
- https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/ - webarchive
- https://technet.microsoft.com/en-us/library/cc733026.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1116 |
Automated Collection Mitigation - T1119
Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. A keylogger installed on a system may be able to intercept passwords through Input Capture and be used to decrypt protected documents that an adversary may have collected. Strong passwords should be used to prevent offline cracking of encrypted documents through Brute Force techniques.
Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to collect files and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 8bd1ae32-a686-48f4-a6f8-470287f76152
which can be used as unique global reference for Automated Collection Mitigation - T1119
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1119 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1119 |
Template Injection Mitigation - T1221
Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents (Citation: Microsoft Disable Macros), though this setting may not mitigate the Forced Authentication use for this technique.
Because this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations including training users to identify social engineering techniques and spearphishing emails. Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads. (Citation: Anomali Template Injection MAR 2018)
Internal MISP references
UUID c7e49501-6021-414f-bfa1-94519d8ec314
which can be used as unique global reference for Template Injection Mitigation - T1221
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/mitigations/T1221 - webarchive
- https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104 - webarchive
- https://support.office.com/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1221 |
Audio Capture Mitigation - T1123
Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.
Identify and block potentially malicious software that may be used to record audio by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d
which can be used as unique global reference for Audio Capture Mitigation - T1123
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1123 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1123 |
Data Encoding Mitigation - T1132
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Internal MISP references
UUID fcbe8424-eb3e-4794-b76d-e743f5a49b8b
which can be used as unique global reference for Data Encoding Mitigation - T1132
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1132 |
Video Capture Mitigation - T1125
Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.
Identify and block potentially malicious software that may be used to capture video and images by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d
which can be used as unique global reference for Video Capture Mitigation - T1125
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1125 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1125 |
Login Item Mitigation - T1162
Restrict users from being able to create their own login items. Additionally, holding the shift key during login prevents apps from opening automatically (Citation: Re-Open windows on Mac).
Internal MISP references
UUID 06824aa2-94a5-474c-97f6-57c2e983d885
which can be used as unique global reference for Login Item Mitigation - T1162
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1162 |
Domain Fronting Mitigation - T1172
If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be Domain Fronting.
In order to use domain fronting, attackers will likely need to deploy additional tools to compromised systems. (Citation: FireEye APT29 Domain Fronting With TOR March 2017) (Citation: Mandiant No Easy Breach) It may be possible to detect or prevent the installation of these tools with Host-based solutions.
Internal MISP references
UUID 62ae52c9-7197-4f5b-be1d-10d2e1df2c96
which can be used as unique global reference for Domain Fronting Mitigation - T1172
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1172 |
AppCert DLLs Mitigation - T1182
Identify and block potentially malicious software that may be executed through AppCert DLLs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.
Internal MISP references
UUID 95c29444-49f9-49f7-8b20-bcd68d8fcaa6
which can be used as unique global reference for AppCert DLLs Mitigation - T1182
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1182 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1182 |
Spearphishing Link Mitigation - T1192
Because this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. Other mitigations can take place as User Execution occurs.
Internal MISP references
UUID ad7f983d-d5a8-4fce-a38c-b68eda61bf4e
which can be used as unique global reference for Spearphishing Link Mitigation - T1192
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1192 |
Hidden Window Mitigation - T1143
Whitelist programs that are allowed to have this plist tag. All other programs should be considered suspicious.
Internal MISP references
UUID fae44eea-caa7-42b7-a2e2-0c815ba81b9a
which can be used as unique global reference for Hidden Window Mitigation - T1143
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1143 |
Create Account Mitigation - T1136
Use and enforce multifactor authentication. Follow guidelines to prevent or limit adversary access to Valid Accounts that may be used to create privileged accounts within an environment.
Adversaries that create local accounts on systems may have limited access within a network if access levels are properly locked down. These accounts may only be needed for persistence on individual systems and their usefulness depends on the utility of the system they reside on.
Protect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
Internal MISP references
UUID 9a5b7194-88e0-4579-b82f-e3c27b8cca80
which can be used as unique global reference for Create Account Mitigation - T1136
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1136 |
Application Shimming Mitigation - T1138
There currently aren't a lot of ways to mitigate application shimming. Disabling the Shim Engine isn't recommended because Windows depends on shimming for interoperability and software may become unstable or not work. Microsoft released an optional patch update - KB3045645 - that will remove the "auto-elevate" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC.
Changing UAC settings to "Always Notify" will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions.
Internal MISP references
UUID cfc2d2fc-14ff-495f-bd99-585be47b804f
which can be used as unique global reference for Application Shimming Mitigation - T1138
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1138 |
Spearphishing Attachment Mitigation - T1193
Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.
Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments in Obfuscated Files or Information.
Because this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails. To prevent the attachments from executing, application whitelisting can be used. Anti-virus can also automatically quarantine suspicious files.
Internal MISP references
UUID 8f6b5ca6-263a-4ea9-98f3-afd2a3cd8119
which can be used as unique global reference for Spearphishing Attachment Mitigation - T1193
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1193 |
Bash History Mitigation - T1139
There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:
set +o history
and set -o history
to start logging again;
unset HISTFILE
being added to a user's .bash_rc file; and
ln -s /dev/null ~/.bash_history
to write commands to /dev/null
instead.
Internal MISP references
UUID ace4daee-f914-4707-be75-843f16da2edf
which can be used as unique global reference for Bash History Mitigation - T1139
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1139 |
Gatekeeper Bypass Mitigation - T1144
Other tools should be used to supplement Gatekeeper's functionality. Additionally, system settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues.
Internal MISP references
UUID 1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158
which can be used as unique global reference for Gatekeeper Bypass Mitigation - T1144
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1144 |
Private Keys Mitigation - T1145
Use strong passphrases for private keys to make cracking difficult. When possible, store keys on separate cryptographic hardware instead of on the local system. Ensure only authorized keys are allowed access to critical resources and audit access lists regularly. Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Use separate infrastructure for managing critical systems to prevent overlap of credentials and permissions on systems that could be used as vectors for lateral movement. Follow other best practices for mitigating access through use of Valid Accounts.
Internal MISP references
UUID f27ef4f2-71fe-48b6-b7f4-02dcac14320e
which can be used as unique global reference for Private Keys Mitigation - T1145
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1145 |
Hidden Users Mitigation - T1147
If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the /Library/Preferences/com.apple.loginwindow
Hide500Users
value will force all users to be visible.
Internal MISP references
UUID 12cba7de-0a22-4a56-b51e-c514c67c3b43
which can be used as unique global reference for Hidden Users Mitigation - T1147
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1147 |
SSH Hijacking Mitigation - T1184
Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected. Ensure that all private keys are stored securely in locations where only the legitimate owner has access to with strong passwords and are rotated frequently. Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities. Do not allow remote access via SSH as root or other privileged accounts. Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. (Citation: Symantec SSH and ssh-agent)
Internal MISP references
UUID 41cff8e9-fd05-408e-b3d5-d98c54c20bcf
which can be used as unique global reference for SSH Hijacking Mitigation - T1184
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1184 |
LC_MAIN Hijacking Mitigation - T1149
Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.
Internal MISP references
UUID 6e7db820-9735-4545-bc64-039bc4ce354b
which can be used as unique global reference for LC_MAIN Hijacking Mitigation - T1149
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1149 |
Startup Items Mitigation - T1165
Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems
directory would prevent any startup items from getting registered. Similarly, appropriate permissions should be applied such that only specific users can edit the startup items so that they can’t be leveraged for privilege escalation.
Internal MISP references
UUID 94927849-03e3-4a07-8f4c-9ee21b626719
which can be used as unique global reference for Startup Items Mitigation - T1165
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1165 |
Dylib Hijacking Mitigation - T1157
Prevent users from being able to write files to the search paths for applications, both in the folders where applications are run from and the standard dylib folders. If users can't write to these directories, then they can't intercept the search path.
Internal MISP references
UUID dc43c2fe-355e-4a79-9570-3267b0992784
which can be used as unique global reference for Dylib Hijacking Mitigation - T1157
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1157 |
Launch Agent Mitigation - T1159
Restrict user's abilities to create Launch Agents with group policy.
Internal MISP references
UUID 121b2863-5b97-4538-acb3-f8aae070ec13
which can be used as unique global reference for Launch Agent Mitigation - T1159
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1159 |
Browser Extensions Mitigation - T1176
Only install browser extensions from trusted sources that can be verified. Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones.
Browser extensions for some browsers can be controlled through Group Policy. Set a browser extension white or black list as appropriate for your security policy. (Citation: Technospot Chrome Extensions GP)
Change settings to prevent the browser from installing extensions without sufficient permissions.
Close out all browser sessions when finished using them.
Internal MISP references
UUID b52f41b9-ccf6-4da7-a6c0-167eeb71fbd8
which can be used as unique global reference for Browser Extensions Mitigation - T1176
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1176 |
Process Doppelgänging Mitigation - T1186
This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.
Although Process Doppelgänging may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 34d6a2ef-370e-4d21-a34b-6208b7c78f31
which can be used as unique global reference for Process Doppelgänging Mitigation - T1186
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://attack.mitre.org/mitigations/T1186 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
- https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1186 |
LSASS Driver Mitigation - T1177
On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL
to dword:00000001
. (Citation: Microsoft LSA Protection Mar 2014) LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.
On Windows 10 and Server 2016, enable Windows Defender Credential Guard (Citation: Microsoft Enable Cred Guard April 2017) to run lsass.exe in an isolated virtualized environment without any device drivers. (Citation: Microsoft Credential Guard April 2017)
Ensure safe DLL search mode is enabled HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
to mitigate risk that lsass.exe loads a malicious code library. (Citation: Microsoft DLL Security)
Internal MISP references
UUID 7a6e5ca3-562f-4185-a323-f3b62b5b2e6b
which can be used as unique global reference for LSASS Driver Mitigation - T1177
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/mitigations/T1177 - webarchive
- https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-how-it-works - webarchive
- https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage - webarchive
- https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx - webarchive
- https://technet.microsoft.com/library/dn408187.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1177 |
Forced Authentication Mitigation - T1187
Block SMB traffic from exiting an enterprise network with egress filtering or by blocking TCP ports 139, 445 and UDP port 137. Filter or block WebDAV protocol traffic from exiting the network. If access to external resources over SMB and WebDAV is necessary, then traffic should be tightly limited with whitelisting. (Citation: US-CERT SMB Security) (Citation: US-CERT APT Energy Oct 2017)
For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.
Use strong passwords to increase the difficulty of credential hashes from being cracked if they are obtained.
Internal MISP references
UUID 7009ba4d-83d4-4851-9fbb-e09e28497765
which can be used as unique global reference for Forced Authentication Mitigation - T1187
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1187 |
BITS Jobs Mitigation - T1197
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, disabling all BITS functionality will likely have unintended side effects, such as preventing legitimate software patching and updating. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. (Citation: Mondok Windows PiggyBack BITS May 2007)
Modify network and/or host firewall rules, as well as other network controls, to only allow legitimate BITS traffic.
Consider limiting access to the BITS interface to specific users or groups. (Citation: Symantec BITS May 2007)
Consider reducing the default BITS job lifetime in Group Policy or by editing the JobInactivityTimeout
and MaxDownloadTime
Registry values in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS
. (Citation: Microsoft BITS)
Internal MISP references
UUID cb825b86-3f3b-4686-ba99-44878f5d3173
which can be used as unique global reference for BITS Jobs Mitigation - T1197
in MISP communities and other software using the MISP galaxy
External references
- https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/ - webarchive
- https://attack.mitre.org/mitigations/T1197 - webarchive
- https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx - webarchive
- https://www.symantec.com/connect/blogs/malware-update-windows-update - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1197 |
Trusted Relationship Mitigation - T1199
Network segmentation can be used to isolate infrastructure components that do not require broad network access. Properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary. Vet the security policies and procedures of organizations that are contracted for work that require privileged access to network resources.
Internal MISP references
UUID 797312d4-8a84-4daf-9c56-57da4133c322
which can be used as unique global reference for Trusted Relationship Mitigation - T1199
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1199 |
Firmware Corruption Mitigation - T1495
Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification. Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities.
Internal MISP references
UUID 70886857-0f19-4caa-b081-548354a8a994
which can be used as unique global reference for Firmware Corruption Mitigation - T1495
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1495 |
Resource Hijacking Mitigation - T1496
Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 46acc565-11aa-40ba-b629-33ba0ab9b07b
which can be used as unique global reference for Resource Hijacking Mitigation - T1496
in MISP communities and other software using the MISP galaxy
External references
- http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1496 - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1496 |
Data Destruction Mitigation - T1488
Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)
Internal MISP references
UUID 0b3ee33e-430b-476f-9525-72d120c90f8d
which can be used as unique global reference for Data Destruction Mitigation - T1488
in MISP communities and other software using the MISP galaxy
External references
- http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
- http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
- https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
- https://attack.mitre.org/mitigations/T1488 - webarchive
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
- https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
- https://www.ready.gov/business/implementation/IT - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | T1488 |
Service Stop Mitigation - T1489
Ensure proper process, registry, and file permissions are in place to inhibit adversaries from disabling or interfering with critical services. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Harden systems used to serve critical network, business, and communications functions. Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.
Internal MISP references
UUID 417fed8c-bd76-48b5-90a2-a88882a95241
which can be used as unique global reference for Service Stop Mitigation - T1489
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1489 |
Multi-factor Authentication - M1032
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.
Internal MISP references
UUID b045d015-6bed-4490-bd38-56b41ece59a0
which can be used as unique global reference for Multi-factor Authentication - M1032
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1032 |
Related clusters
To see the related clusters, click here.
Rc.common Mitigation - T1163
Limit privileges of user accounts so only authorized users can edit the rc.common file.
Internal MISP references
UUID c3cf2312-3aab-4aaf-86e6-ab3505430482
which can be used as unique global reference for Rc.common Mitigation - T1163
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | T1163 |
SSL/TLS Inspection - M1020
Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.
Internal MISP references
UUID 7bb5fae9-53ad-4424-866b-f0ea2a8b731d
which can be used as unique global reference for SSL/TLS Inspection - M1020
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | M1020 |
Related clusters
To see the related clusters, click here.
Regsvcs/Regasm Mitigation - T1121
Regsvcs and Regasm may not be necessary within a