Skip to content

Hide Navigation Hide TOC

Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3)

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:

Disable Unused Features:

  • Turn off SMBv1, LLMNR, and NetBIOS where not needed.
  • Disable remote registry and unnecessary services.

Enforce OS-level Protections:

  • Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows.
  • Use AppArmor or SELinux on Linux for mandatory access controls.

Secure Access Settings:

  • Enable User Account Control (UAC) for Windows.
  • Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

File System Hardening:

  • Implement least-privilege access for critical files and system directories.
  • Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

Secure Remote Access:

  • Restrict RDP, SSH, and VNC to authorized IPs using firewall rules.
  • Enable NLA for RDP and enforce strong password/lockout policies.

Harden Boot Configurations:

  • Enable Secure Boot and enforce UEFI/BIOS password protection.
  • Use BitLocker or LUKS to encrypt boot drives.

Regular Audits:

  • Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

Tools for Implementation

Windows:

  • Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings.
  • Windows Defender Exploit Guard: Built-in OS protection against exploits.
  • CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

Linux/macOS:

  • AppArmor/SELinux: Enforce mandatory access controls.
  • Lynis: Perform comprehensive security audits.
  • SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

Cross-Platform:

  • Ansible or Chef/Puppet: Automate configuration hardening at scale.
  • OpenSCAP: Perform compliance and configuration checks.
Cluster A Galaxy A Cluster B Galaxy B Level
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 1
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Communication Through Removable Media - T1092 (64196062-5210-42c3-9a02-563a0d1797ef) Attack Pattern 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Password Filter DLL - T1556.002 (3731fbcd-0e43-47ae-ae6c-d15e510f0d42) Attack Pattern 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Bash History - T1552.003 (8187bd2a-866f-4457-9009-86b0ddedffa3) Attack Pattern 1
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 1
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Setuid and Setgid - T1548.001 (6831414d-bb70-42b7-8030-d4e06b2660c9) Attack Pattern 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825) Attack Pattern 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 1
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Network Provider DLL - T1556.008 (90c4a591-d02d-490b-92aa-619d9701ac04) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action 1
Operating System Configuration - M1028 (2f316f6c-ae42-44fe-adf8-150989e0f6d3) Course of Action Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 1
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern Password Filter DLL - T1556.002 (3731fbcd-0e43-47ae-ae6c-d15e510f0d42) Attack Pattern 2
Bash History - T1552.003 (8187bd2a-866f-4457-9009-86b0ddedffa3) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Impair Command History Logging - T1562.003 (8f504411-cb96-4dac-a537-8d2bb7679c59) Attack Pattern 2
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern 2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern 2
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0) Attack Pattern 2
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Setuid and Setgid - T1548.001 (6831414d-bb70-42b7-8030-d4e06b2660c9) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern 2
Network Provider DLL - T1556.008 (90c4a591-d02d-490b-92aa-619d9701ac04) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2