Skip to content

Hide Navigation Hide TOC

Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96)

Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:

Deploy Web Proxy Filtering:

  • Use solutions to filter web traffic based on categories, reputation, and content types.
  • Enforce policies that block unsafe websites or file types at the gateway level.

Enable DNS-Based Filtering:

  • Implement tools to restrict access to domains associated with malware or phishing campaigns.
  • Use public DNS filtering services to enhance protection.

Enforce Content Security Policies (CSP):

  • Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.

Control Browser Features:

  • Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting.
  • Enforce policies through tools like Group Policy Management to control browser settings.

Monitor and Alert on Web-Based Threats:

  • Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity.
  • Configure alerts for access attempts to blocked domains or repeated file download failures.
Cluster A Galaxy A Cluster B Galaxy B Level
Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern 1
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Content Injection - T1659 (43c9bc06-715b-42db-972f-52d25c09a20c) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action Compiled HTML File - T1218.001 (a6937325-9321-4e2e-bb2b-3ed2d40b2a9d) Attack Pattern 1
Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Exfiltration to Text Storage Sites - T1567.003 (ba04e672-da86-4e69-aa15-0eca5db25f43) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c) Attack Pattern 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Restrict Web-Based Content - M1021 (21da4fd4-27ad-4e9c-b93d-0b9b14d02c96) Course of Action 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Compiled HTML File - T1218.001 (a6937325-9321-4e2e-bb2b-3ed2d40b2a9d) Attack Pattern 2
Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 2
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51) Attack Pattern 2
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Text Storage Sites - T1567.003 (ba04e672-da86-4e69-aa15-0eca5db25f43) Attack Pattern 2
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern ClickOnce - T1127.002 (cc279e50-df85-4c8e-be80-6dc2eda8849c) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2