Skip to content

Hide Navigation Hide TOC

Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067)

Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data. This mitigation can be implemented through the following measures:

Conduct a Security Review of Application Settings:

  • Review the software documentation to identify recommended security configurations.
  • Compare default settings against organizational policies and compliance requirements.

Implement Access Controls and Permissions:

  • Restrict access to sensitive features or data within the software.
  • Enforce least privilege principles for all roles and accounts interacting with the software.

Enable Logging and Monitoring:

  • Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity.
  • Integrate logs with a centralized monitoring solution, such as a SIEM.

Update and Patch Software Regularly:

  • Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities.
  • Use automated patch management tools to streamline the update process.

Disable Unnecessary Features or Services:

  • Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs.

Test Configuration Changes:

  • Perform configuration changes in a staging environment before applying them in production.
  • Conduct regular audits to ensure that settings remain aligned with security policies.

Tools for Implementation

Configuration Management Tools:

  • Ansible: Automates configuration changes across multiple applications and environments.
  • Chef: Ensures consistent application settings through code-based configuration management.
  • Puppet: Automates software configurations and audits changes for compliance.

Security Benchmarking Tools:

  • CIS-CAT: Provides benchmarks and audits for secure software configurations.
  • Aqua Security Trivy: Scans containerized applications for configuration issues.

Vulnerability Management Solutions:

  • Nessus: Identifies misconfigurations and suggests corrective actions.

Logging and Monitoring Tools:

  • Splunk: Aggregates and analyzes application logs to detect suspicious activity.
Cluster A Galaxy A Cluster B Galaxy B Level
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Transfer Data to Cloud Account - T1537 (d4bdbdea-eaec-4071-b4f9-5105e12ea4b6) Attack Pattern 1
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Email Bombing - T1667 (bed81616-3dde-4685-be6e-ba9820f9a7ed) Attack Pattern 1
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Unused/Unsupported Cloud Regions - T1535 (59bd0dec-f8b2-4b9a-9141-37a1e6899761) Attack Pattern 1
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Modify Cloud Resource Hierarchy - T1666 (0ce73446-8722-4086-9d43-514f1d0f669e) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Downgrade Attack - T1562.010 (824add00-99a1-4b15-9a2d-6c5683b7b497) Attack Pattern 1
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Email Spoofing - T1672 (e1c2db92-7ae3-4e6a-90b4-157c1c1565cb) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
SNMP (MIB Dump) - T1602.001 (ee7ff928-801c-4f34-8a99-3df965e581a5) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern 1
Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern 1
DNS - T1590.002 (0ff59227-8aa8-4c09-bf1f-925605bd07ea) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern 1
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action PowerShell Profile - T1546.013 (0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3) Attack Pattern 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Container Service - T1543.005 (b0e54bf7-835e-4f44-bd8e-62f431b9b76a) Attack Pattern 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Web Session Cookie - T1550.004 (c3c8c916-2f3c-4e71-94b2-240bdfc996f0) Attack Pattern 1
Web Cookies - T1606.001 (861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Customer Relationship Management Software - T1213.004 (bbfbb096-6561-4d7d-aa2c-a5ee8e44c696) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Software Configuration - M1054 (b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067) Course of Action 1
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) Attack Pattern Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 2
Safe Mode Boot - T1562.009 (28170e17-8384-415c-8486-2e6b294cb803) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Downgrade Attack - T1562.010 (824add00-99a1-4b15-9a2d-6c5683b7b497) Attack Pattern 2
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 2
SNMP (MIB Dump) - T1602.001 (ee7ff928-801c-4f34-8a99-3df965e581a5) Attack Pattern Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern 2
DNS - T1590.002 (0ff59227-8aa8-4c09-bf1f-925605bd07ea) Attack Pattern Gather Victim Network Information - T1590 (9d48cab2-7929-4812-ad22-f536665f0109) Attack Pattern 2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 2
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Spearphishing Attachment - T1598.002 (8982a661-d84c-48c0-b4ec-1db29c6cf3bc) Attack Pattern 2
PowerShell Profile - T1546.013 (0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Container Service - T1543.005 (b0e54bf7-835e-4f44-bd8e-62f431b9b76a) Attack Pattern 2
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Web Session Cookie - T1550.004 (c3c8c916-2f3c-4e71-94b2-240bdfc996f0) Attack Pattern 2
Web Cookies - T1606.001 (861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a) Attack Pattern Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern 2
Customer Relationship Management Software - T1213.004 (bbfbb096-6561-4d7d-aa2c-a5ee8e44c696) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2