Hide Navigation Hide TOC

Edit

Course of Action

ATT&CK Mitigation

Authors

Authors and/or Contributors
MITRE

Registry Run Keys / Startup Folder Mitigation - T1060

Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 8b36d944-f274-4d46-9acd-dbba6927ce7a which can be used as unique global reference for Registry Run Keys / Startup Folder Mitigation - T1060 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1060 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1060

Exfiltration Over Command and Control Channel Mitigation - T1041

Mitigations for command and control apply. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID 92c28497-2820-445e-9f3e-a03dd77dc0c8 which can be used as unique global reference for Exfiltration Over Command and Control Channel Mitigation - T1041 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1041 - webarchive

Associated metadata

Metadata key	Value
external_id	T1041

Exfiltration Over Other Network Medium Mitigation - T1011

Ensure host-based sensors maintain visibility into usage of all network adapters and prevent the creation of new ones where possible. (Citation: Microsoft GPO Bluetooth FEB 2009) (Citation: TechRepublic Wireless GPO FEB 2009)

Internal MISP references

UUID a98be93b-a75b-4dd4-8a72-4dfd0b5e25bb which can be used as unique global reference for Exfiltration Over Other Network Medium Mitigation - T1011 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1011 - webarchive
• https://technet.microsoft.com/library/dd252791.aspx - webarchive
• https://www.techrepublic.com/blog/data-center/configuring-wireless-settings-via-group-policy/ - webarchive

Associated metadata

Metadata key	Value
external_id	T1011

Disable or Remove Feature or Program - M1042

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Internal MISP references

UUID eb88d97c-32f1-40be-80f0-d61a4b0b4b31 which can be used as unique global reference for Disable or Remove Feature or Program - M1042 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1042 - webarchive

Associated metadata

Metadata key	Value
external_id	M1042

Related clusters

To see the related clusters, click here.

Limit Access to Resource Over Network - M1035

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

Internal MISP references

UUID 1dcaeb21-9348-42ea-950a-f842aaf1ae1f which can be used as unique global reference for Limit Access to Resource Over Network - M1035 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1035 - webarchive

Associated metadata

Metadata key	Value
external_id	M1035

Related clusters

To see the related clusters, click here.

Data from Network Shared Drive Mitigation - T1039

Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID d9727aee-48b8-4fdb-89e2-4c49746ba4dd which can be used as unique global reference for Data from Network Shared Drive Mitigation - T1039 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1039 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1039

Windows Management Instrumentation Event Subscription Mitigation - T1084

Disabling WMI services may cause system instability and should be evaluated to assess the impact to a network. By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI. Prevent credential overlap across systems of administrator and privileged accounts. (Citation: FireEye WMI 2015)

Internal MISP references

UUID 0bc3ce00-83bc-4a92-a042-79ffbc6af259 which can be used as unique global reference for Windows Management Instrumentation Event Subscription Mitigation - T1084 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1084 - webarchive
• https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	T1084

Custom Command and Control Protocol Mitigation - T1094

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID f3d0c735-330f-43c2-8e8e-51bcfa51e8c3 which can be used as unique global reference for Custom Command and Control Protocol Mitigation - T1094 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1094 - webarchive

Associated metadata

Metadata key	Value
external_id	T1094

Image File Execution Options Injection Mitigation - T1183

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all IFEO will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. (Citation: Microsoft IFEOorMalware July 2015) Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Identify and block potentially malicious software that may be executed through IFEO by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown executables.

Internal MISP references

UUID 33f76731-b840-446f-bee0-53687dad24d9 which can be used as unique global reference for Image File Execution Options Injection Mitigation - T1183 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://answers.microsoft.com/windows/forum/windows_10-security/part-of-windows-10-or-really-malware/af715663-a34a-423c-850d-2a46f369a54c - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1183 - webarchive

Associated metadata

Metadata key	Value
external_id	T1183

SIP and Trust Provider Hijacking Mitigation - T1198

Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Also ensure that these values contain their full path to prevent DLL Search Order Hijacking. (Citation: SpectorOps Subverting Trust Sept 2017)

Consider removing unnecessary and/or stale SIPs. (Citation: SpectorOps Subverting Trust Sept 2017)

Restrict storage and execution of SIP DLLs to protected directories, such as C:\Windows, rather than user directories.

Enable whitelisting solutions such as AppLocker and/or Device Guard to block the loading of malicious SIP DLLs. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.

Internal MISP references

UUID ef273807-c465-4728-9cee-5823422f42ee which can be used as unique global reference for SIP and Trust Provider Hijacking Mitigation - T1198 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1198 - webarchive
• https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	T1198

Standard Non-Application Layer Protocol Mitigation - T1095

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID 399d9038-b100-43ef-b28d-a5065106b935 which can be used as unique global reference for Standard Non-Application Layer Protocol Mitigation - T1095 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1095 - webarchive

Associated metadata

Metadata key	Value
external_id	T1095

Deobfuscate/Decode Files or Information Mitigation - T1140

Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID d01f473f-3cdc-4867-9e55-1de9cf1986f0 which can be used as unique global reference for Deobfuscate/Decode Files or Information Mitigation - T1140 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1140 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1140

Deploy Compromised Device Detection Method - M1010

A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.

Internal MISP references

UUID cf2cccb1-cab8-431a-8ecf-f7874d05f433 which can be used as unique global reference for Deploy Compromised Device Detection Method - M1010 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1010 - webarchive

Associated metadata

Metadata key	Value
external_id	M1010

Related clusters

To see the related clusters, click here.

Data Transfer Size Limits Mitigation - T1030

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID ba06d68a-4891-4eb5-b634-152e05ec60ee which can be used as unique global reference for Data Transfer Size Limits Mitigation - T1030 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1030 - webarchive

Associated metadata

Metadata key	Value
external_id	T1030

Data from Local System Mitigation - T1005

Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 7ee0879d-ce4f-4f54-a96b-c532dfb98ffd which can be used as unique global reference for Data from Local System Mitigation - T1005 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1005 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1005

File System Logical Offsets Mitigation - T1006

Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 902286b2-96cc-4dd7-931f-e7340c9961da which can be used as unique global reference for File System Logical Offsets Mitigation - T1006 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1006 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1006

Caution with Device Administrator Access - M1007

Warn device users not to accept requests to grant Device Administrator access to applications without good reason.

Additionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.

Internal MISP references

UUID e944670c-d03a-4e93-a21c-b3d4c53ec4c9 which can be used as unique global reference for Caution with Device Administrator Access - M1007 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1007 - webarchive

Associated metadata

Metadata key	Value
external_id	M1007

Indicator Removal on Host Mitigation - T1070

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.

Internal MISP references

UUID 6cac62ce-550b-4793-8ee6-6a1b8836edb0 which can be used as unique global reference for Indicator Removal on Host Mitigation - T1070 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1070 - webarchive

Associated metadata

Metadata key	Value
external_id	T1070

Exploitation of Remote Services Mitigation - T1210

Segment networks and systems appropriately to reduce access to critical systems and services to controlled methods. Minimize available services to only those that are necessary. Regularly scan the internal network for available services to identify new and potentially vulnerable services. Minimize permissions and access for service accounts to limit impact of exploitation.

Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.

Internal MISP references

UUID 14b63e6b-7531-4476-9e60-02cc5db48b62 which can be used as unique global reference for Exploitation of Remote Services Mitigation - T1210 in MISP communities and other software using the MISP galaxy

External references

• https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/ - webarchive
• https://attack.mitre.org/mitigations/T1210 - webarchive
• https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/ - webarchive
• https://en.wikipedia.org/wiki/Control-flow_integrity - webarchive

Associated metadata

Metadata key	Value
external_id	T1210

System Network Configuration Discovery Mitigation - T1016

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about a system's network configuration, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 684feec3-f9ba-4049-9d8f-52d52f3e0e40 which can be used as unique global reference for System Network Configuration Discovery Mitigation - T1016 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1016 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1016

Replication Through Removable Media Mitigation - T1091

Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if it is not required for business operations. (Citation: TechNet Removable Media Control)

Identify potentially malicious software that may be used to infect removable media or may result from tainted removable media, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID effb83a0-ead1-4b36-b7f6-b7bdf9c4616e which can be used as unique global reference for Replication Through Removable Media Mitigation - T1091 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1091 - webarchive
• https://support.microsoft.com/en-us/kb/967715 - webarchive
• https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1091

Restrict File and Directory Permissions - M1022

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Internal MISP references

UUID 987988f0-cf86-4680-a875-2f6456ab2448 which can be used as unique global reference for Restrict File and Directory Permissions - M1022 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1022 - webarchive

Associated metadata

Metadata key	Value
external_id	M1022

Related clusters

To see the related clusters, click here.

Exploitation for Client Execution Mitigation - T1203

Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility.

Internal MISP references

UUID f2dcee22-c275-405e-87fd-48630a19dfba which can be used as unique global reference for Exploitation for Client Execution Mitigation - T1203 in MISP communities and other software using the MISP galaxy

External references

• https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/ - webarchive
• https://attack.mitre.org/mitigations/T1203 - webarchive
• https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/ - webarchive
• https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/ - webarchive
• https://en.wikipedia.org/wiki/Control-flow_integrity - webarchive

Associated metadata

Metadata key	Value
external_id	T1203

Change Default File Association Mitigation - T1042

Direct mitigation of this technique is not recommended since it is a legitimate function that can be performed by users for software preferences. Follow Microsoft's best practices for file associations. (Citation: MSDN File Associations)

Identify and block potentially malicious software that may be executed by this technique using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID d7c49196-b40e-42bc-8eed-b803113692ed which can be used as unique global reference for Change Default File Association Mitigation - T1042 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1042 - webarchive
• https://msdn.microsoft.com/en-us/library/cc144156.aspx - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1042

Data from Removable Media Mitigation - T1025

Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 39706d54-0d06-4a25-816a-78cc43455100 which can be used as unique global reference for Data from Removable Media Mitigation - T1025 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1025 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1025

Exfiltration Over Physical Medium Mitigation - T1052

Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)

Internal MISP references

UUID e547ed6a-f1ca-40df-8613-2ce27927f145 which can be used as unique global reference for Exfiltration Over Physical Medium Mitigation - T1052 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1052 - webarchive
• https://support.microsoft.com/en-us/kb/967715 - webarchive
• https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1052

Communication Through Removable Media Mitigation - T1092

Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)

Internal MISP references

UUID b8d57b16-d8e2-428c-a645-1083795b3445 which can be used as unique global reference for Communication Through Removable Media Mitigation - T1092 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1092 - webarchive
• https://support.microsoft.com/en-us/kb/967715 - webarchive
• https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1092

File and Directory Discovery Mitigation - T1083

File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1 which can be used as unique global reference for File and Directory Discovery Mitigation - T1083 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1083 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1083

DLL Search Order Hijacking Mitigation - T1038

Disallow loading of remote DLLs. (Citation: Microsoft DLL Preloading) This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+. (Citation: Microsoft DLL Search) Path Algorithm

Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. %SYSTEMROOT%)to be used before local directory DLLs (e.g. a user's home directory). The Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode (Citation: Microsoft DLL Search)

Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses. (Citation: Powersploit)

Identify and block potentially malicious software that may be executed through search order hijacking by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

Internal MISP references

UUID 96913243-2b5e-4483-a65c-bb152ddd2f04 which can be used as unique global reference for DLL Search Order Hijacking Mitigation - T1038 in MISP communities and other software using the MISP galaxy

External references

• http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx - webarchive
• http://msdn.microsoft.com/en-US/library/ms682586 - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1038 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://github.com/mattifestation/PowerSploit - webarchive

Associated metadata

Metadata key	Value
external_id	T1038

File System Permissions Weakness Mitigation - T1044

Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses. (Citation: Powersploit)

Identify and block potentially malicious software that may be executed through abuse of file, directory, and service permissions by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs. Deny execution from user directories such as file download directories and temp directories where able. (Citation: Seclists Kanthak 7zip Installer)

Turn off UAC's privilege elevation for standard users [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]to automatically deny elevation requests, add: "ConsentPromptBehaviorUser"=dword:00000000 (Citation: Seclists Kanthak 7zip Installer). Consider enabling installer detection for all users by adding: "EnableInstallerDetection"=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: "EnableInstallerDetection"=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.

Internal MISP references

UUID 1022138b-497c-40e6-b53a-13351cbd4090 which can be used as unique global reference for File System Permissions Weakness Mitigation - T1044 in MISP communities and other software using the MISP galaxy

External references

• http://seclists.org/fulldisclosure/2015/Dec/34 - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1044 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://github.com/mattifestation/PowerSploit - webarchive

Associated metadata

Metadata key	Value
external_id	T1044

System Network Connections Discovery Mitigation - T1049

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about network connections, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID c1676218-c16a-41c9-8f7a-023779916e39 which can be used as unique global reference for System Network Connections Discovery Mitigation - T1049 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1049 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1049

Service Registry Permissions Weakness Mitigation - T1058

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Identify and block potentially malicious software that may be executed through service abuse by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.

Internal MISP references

UUID 9378f139-10ef-4e4b-b679-2255a0818902 which can be used as unique global reference for Service Registry Permissions Weakness Mitigation - T1058 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1058 - webarchive

Associated metadata

Metadata key	Value
external_id	T1058

Indicator Removal from Tools Mitigation - T1066

Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.

Identify and block potentially malicious software that may be used by an adversary by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 4b998a71-7b8f-4dcc-8f3f-277f2e740271 which can be used as unique global reference for Indicator Removal from Tools Mitigation - T1066 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://attack.mitre.org/mitigations/T1066 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
• https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive

Associated metadata

Metadata key	Value
external_id	T1066

Exploitation for Privilege Escalation Mitigation - T1068

Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software components targeted for privilege escalation.

Internal MISP references

UUID 92e6d080-ca3f-4f95-bc45-172a32c4e502 which can be used as unique global reference for Exploitation for Privilege Escalation Mitigation - T1068 in MISP communities and other software using the MISP galaxy

External references

• https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/ - webarchive
• https://attack.mitre.org/mitigations/T1068 - webarchive
• https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/ - webarchive
• https://en.wikipedia.org/wiki/Control-flow_integrity - webarchive

Associated metadata

Metadata key	Value
external_id	T1068

Bypass User Account Control Mitigation - T1088

Remove users from the local administrator group on systems. Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as DLL Search Order Hijacking.

Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate. (Citation: Github UACMe)

Internal MISP references

UUID beb45abb-11e8-4aef-9778-1f9ac249784f which can be used as unique global reference for Bypass User Account Control Mitigation - T1088 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1088 - webarchive
• https://github.com/hfiref0x/UACME - webarchive

Associated metadata

Metadata key	Value
external_id	T1088

Exploitation for Defense Evasion Mitigation - T1211

Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.

Internal MISP references

UUID 37a3f3f5-76e6-43fe-b935-f1f494c95725 which can be used as unique global reference for Exploitation for Defense Evasion Mitigation - T1211 in MISP communities and other software using the MISP galaxy

External references

• https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/ - webarchive
• https://attack.mitre.org/mitigations/T1211 - webarchive
• https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/ - webarchive
• https://en.wikipedia.org/wiki/Control-flow_integrity - webarchive

Associated metadata

Metadata key	Value
external_id	T1211

Extra Window Memory Injection Mitigation - T1181

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Although EWM injection may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID cba5667e-e3c6-44a4-811c-266dbc00e440 which can be used as unique global reference for Extra Window Memory Injection Mitigation - T1181 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1181 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1181

Exploitation for Credential Access Mitigation - T1212

Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.

Internal MISP references

UUID 06160d81-62be-46e5-aa37-4b9c645ffa31 which can be used as unique global reference for Exploitation for Credential Access Mitigation - T1212 in MISP communities and other software using the MISP galaxy

External references

• https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/ - webarchive
• https://attack.mitre.org/mitigations/T1212 - webarchive
• https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/ - webarchive
• https://en.wikipedia.org/wiki/Control-flow_integrity - webarchive

Associated metadata

Metadata key	Value
external_id	T1212

Component Object Model Hijacking Mitigation - T1122

Direct mitigation of this technique may not be recommended for a particular environment since COM objects are a legitimate part of the operating system and installed software. Blocking COM object changes may have unforeseen side effects to legitimate functionality.

Instead, identify and block potentially malicious software that may execute, or be executed by, this technique using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID ff5d862a-ae6b-4833-8c15-e235d654d28e which can be used as unique global reference for Component Object Model Hijacking Mitigation - T1122 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1122 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1122

Data from Information Repositories Mitigation - T1213

To mitigate adversary access to information repositories for collection:

• Develop and publish policies that define acceptable information to be stored
• Appropriate implementation of access control mechanisms that include both authentication and appropriate authorization
• Enforce the principle of least-privilege
• Periodic privilege review of accounts
• Mitigate access to Valid Accounts that may be used to access repositories

Internal MISP references

UUID 13cad982-35e3-4340-9095-7124b653df4b which can be used as unique global reference for Data from Information Repositories Mitigation - T1213 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1213 - webarchive

Associated metadata

Metadata key	Value
external_id	T1213

Kernel Modules and Extensions Mitigation - T1215

Common tools for detecting Linux rootkits include: rkhunter (Citation: SourceForge rkhunter), chrootkit (Citation: Chkrootkit Main), although rootkits may be designed to evade certain detection tools.

LKMs and Kernel extensions require root level permissions to be installed. Limit access to the root account and prevent users from loading kernel modules and extensions through proper privilege separation and limiting Privilege Escalation opportunities.

Application whitelisting and software restriction tools, such as SELinux, can also aide in restricting kernel module loading. (Citation: Kernel.org Restrict Kernel Module)

Internal MISP references

UUID 44155d14-ca75-4fdf-b033-ab3d732e2884 which can be used as unique global reference for Kernel Modules and Extensions Mitigation - T1215 in MISP communities and other software using the MISP galaxy

External references

• http://rkhunter.sourceforge.net - webarchive
• http://www.chkrootkit.org/ - webarchive
• https://attack.mitre.org/mitigations/T1215 - webarchive
• https://patchwork.kernel.org/patch/8754821/ - webarchive

Associated metadata

Metadata key	Value
external_id	T1215

Network Share Connection Removal Mitigation - T1126

Follow best practices for mitigation of activity related to establishing Windows Admin Shares.

Identify unnecessary system utilities or potentially malicious software that may be used to leverage network shares, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 94e95eeb-7cdb-4bd7-afba-f32fda303dbb which can be used as unique global reference for Network Share Connection Removal Mitigation - T1126 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1126 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1126

Signed Script Proxy Execution Mitigation - T1216

Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.

Internal MISP references

UUID 51048ba0-a5aa-41e7-bf5d-993cd217dfb2 which can be used as unique global reference for Signed Script Proxy Execution Mitigation - T1216 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1216 - webarchive

Associated metadata

Metadata key	Value
external_id	T1216

Execution through Module Load Mitigation - T1129

Directly mitigating module loads and API calls related to module loads will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying and correlated subsequent behavior to determine if it is the result of malicious activity.

Internal MISP references

UUID cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf which can be used as unique global reference for Execution through Module Load Mitigation - T1129 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1129 - webarchive

Associated metadata

Metadata key	Value
external_id	T1129

Distributed Component Object Model Mitigation - T1175

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID{AppID_GUID} associated with the process-wide security of individual COM applications. (Citation: Microsoft Process Wide Com Keys)

Modify Registry settings (directly or using Dcomcnfg.exe) in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole associated with system-wide security defaults for all COM applications that do no set their own process-wide security. (Citation: Microsoft System Wide Com Keys) (Citation: Microsoft COM ACL)

Consider disabling DCOM through Dcomcnfg.exe. (Citation: Microsoft Disable DCOM)

Enable Windows firewall, which prevents DCOM instantiation by default.

Ensure all COM alerts and Protected View are enabled. (Citation: Microsoft Protected View)

Internal MISP references

UUID 910482b1-6749-4934-abcb-3e34d58294fc which can be used as unique global reference for Distributed Component Object Model Mitigation - T1175 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1175 - webarchive
• https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1 - webarchive
• https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx - webarchive
• https://msdn.microsoft.com/en-us/library/windows/desktop/ms694331(v=vs.85).aspx - webarchive
• https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653 - webarchive
• https://technet.microsoft.com/library/cc771387.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1175

Man in the Browser Mitigation - T1185

Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique.

Close all browser sessions regularly and when they are no longer needed.

Internal MISP references

UUID 94f6b4f5-b528-4f50-91d5-f66457c2f8f7 which can be used as unique global reference for Man in the Browser Mitigation - T1185 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1185 - webarchive

Associated metadata

Metadata key	Value
external_id	T1185

Hidden Files and Directories Mitigation - T1158

Mitigation of this technique may be difficult and unadvised due to the the legitimate use of hidden files and directories.

Internal MISP references

UUID 84d633a4-dd93-40ca-8510-40238c021931 which can be used as unique global reference for Hidden Files and Directories Mitigation - T1158 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1158 - webarchive

Associated metadata

Metadata key	Value
external_id	T1158

Data Encrypted for Impact Mitigation - T1486

Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP)

In some cases, the means to decrypt files affected by a ransomware campaign is released to the public. Research trusted sources for public releases of decryptor tools/keys to reverse the effects of ransomware.

Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 429a5c0c-e132-45c0-a4aa-c1f736c92a1c which can be used as unique global reference for Data Encrypted for Impact Mitigation - T1486 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1486 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
• https://www.ready.gov/business/implementation/IT - webarchive

Associated metadata

Metadata key	Value
external_id	T1486

Network Denial of Service Mitigation - T1498

When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.(Citation: CERT-EU DDoS March 2017)

Depending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.(Citation: CERT-EU DDoS March 2017)

As immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents.(Citation: CERT-EU DDoS March 2017)

Internal MISP references

UUID 654addf1-47ab-410a-8578-e1a0dc2a49b8 which can be used as unique global reference for Network Denial of Service Mitigation - T1498 in MISP communities and other software using the MISP galaxy

External references

• http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf - webarchive
• https://attack.mitre.org/mitigations/T1498 - webarchive

Associated metadata

Metadata key	Value
external_id	T1498

Endpoint Denial of Service Mitigation - T1499

Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services.(Citation: CERT-EU DDoS March 2017) Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. To defend against SYN floods, enable SYN Cookies.

Internal MISP references

UUID 82c21600-ccb6-4232-8c04-ef3792b56628 which can be used as unique global reference for Endpoint Denial of Service Mitigation - T1499 in MISP communities and other software using the MISP galaxy

External references

• http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf - webarchive
• https://attack.mitre.org/mitigations/T1499 - webarchive

Associated metadata

Metadata key	Value
external_id	T1499

Exploit Public-Facing Application Mitigation - T1190

Application isolation and least privilege help lesson the impact of an exploit. Application isolation will limit what other processes and system features the exploited target can access, and least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system. Web Application Firewalls may be used to limit exposure of applications.

Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.

Use secure coding best practices when designing custom software that is meant for deployment to externally facing systems. Avoid issues documented by OWASP, CWE, and other software weakness identification efforts.

Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.

Internal MISP references

UUID 65da1eb6-d35d-4853-b280-98a76c0aef53 which can be used as unique global reference for Exploit Public-Facing Application Mitigation - T1190 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1190 - webarchive

Associated metadata

Metadata key	Value
external_id	T1190

Two-Factor Authentication Interception Mitigation - T1111

Remove smart cards when not in use. Protect devices and services used to transmit and receive out-of-band codes.

Identify and block potentially malicious software that may be used to intercept 2FA credentials on a system by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID e8d22ec6-2236-48de-954b-974d17492782 which can be used as unique global reference for Two-Factor Authentication Interception Mitigation - T1111 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1111 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1111

.bash_profile and .bashrc Mitigation - T1156

Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.

Internal MISP references

UUID 4f170666-7edb-4489-85c2-9affa28a72e0 which can be used as unique global reference for .bash_profile and .bashrc Mitigation - T1156 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1156 - webarchive

Associated metadata

Metadata key	Value
external_id	T1156

System Owner/User Discovery Mitigation - T1033

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 16f144e4-c780-4ed2-98b4-55d14e2dfa44 which can be used as unique global reference for System Owner/User Discovery Mitigation - T1033 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1033 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1033

Application Window Discovery Mitigation - T1010

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 25d5e1d8-c6fb-4735-bc57-115a21222f4b which can be used as unique global reference for Application Window Discovery Mitigation - T1010 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1010 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1010

Behavior Prevention on Endpoint - M1040

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

Internal MISP references

UUID 90f39ee1-d5a3-4aaa-9f28-3b42815b0d46 which can be used as unique global reference for Behavior Prevention on Endpoint - M1040 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1040 - webarchive

Associated metadata

Metadata key	Value
external_id	M1040

Related clusters

To see the related clusters, click here.

Winlogon Helper DLL Mitigation - T1004

Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.

Identify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

Internal MISP references

UUID 313c8b20-4d49-40c1-9ac0-4c573aca28f3 which can be used as unique global reference for Winlogon Helper DLL Mitigation - T1004 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1004 - webarchive

Associated metadata

Metadata key	Value
external_id	T1004

Compile After Delivery Mitigation - T1500

This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Identify unnecessary system utilities or potentially malicious software that may be used to decrypt, deobfuscate, decode, and compile files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID ae56a49d-5281-45c5-ab95-70a1439c338e which can be used as unique global reference for Compile After Delivery Mitigation - T1500 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1500 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1500

Use Recent OS Version - M1006

New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.

Internal MISP references

UUID 0beabf44-e8d8-4ae4-9122-ef56369a2564 which can be used as unique global reference for Use Recent OS Version - M1006 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1006 - webarchive

Associated metadata

Metadata key	Value
external_id	M1006

Related clusters

To see the related clusters, click here.

System Service Discovery Mitigation - T1007

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID d8787791-d22e-45bb-a9a8-251d8d0a1ff2 which can be used as unique global reference for System Service Discovery Mitigation - T1007 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1007 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1007

Taint Shared Content Mitigation - T1080

Protect shared folders by minimizing users who have write access. Use utilities that detect or mitigate common features used in exploitation, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET).

Reduce potential lateral movement risk by using web-based document management and collaboration services that do not use network file and directory sharing.

Identify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID f0a42cad-9b1f-44da-a672-718f18381018 which can be used as unique global reference for Taint Shared Content Mitigation - T1080 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://attack.mitre.org/mitigations/T1080 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
• https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive

Associated metadata

Metadata key	Value
external_id	T1080

Security Support Provider Mitigation - T1101

Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL, which requires all SSP DLLs to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)

Internal MISP references

UUID 9e57c770-5a39-49a2-bb91-253ba629e3ac which can be used as unique global reference for Security Support Provider Mitigation - T1101 in MISP communities and other software using the MISP galaxy

External references

• http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html - webarchive
• https://attack.mitre.org/mitigations/T1101 - webarchive
• https://technet.microsoft.com/en-us/library/dn408187.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1101

Peripheral Device Discovery Mitigation - T1120

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 1881da33-fdf2-4eea-afd0-e04caf9c000f which can be used as unique global reference for Peripheral Device Discovery Mitigation - T1120 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1120 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1120

Password Policy Discovery Mitigation - T1201

Mitigating discovery of password policies is not advised since the information is required to be known by systems and users of a network. Ensure password policies are such that they mitigate brute force attacks yet will not give an adversary an information advantage because the policies are too light. Active Directory is a common way to set and enforce password policies throughout an enterprise network. (Citation: Microsoft Password Complexity)

Internal MISP references

UUID 49961e75-b493-423a-9ec7-ac2d6f55384a which can be used as unique global reference for Password Policy Discovery Mitigation - T1201 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1201 - webarchive
• https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements - webarchive

Associated metadata

Metadata key	Value
external_id	T1201

Install Root Certificate Mitigation - T1130

HTTP Public Key Pinning (HPKP) is one method to mitigate potential man-in-the-middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)

Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. (Citation: SpectorOps Code Signing Dec 2017)

Internal MISP references

UUID 23061b40-a7b6-454f-8950-95d5ff80331c which can be used as unique global reference for Install Root Certificate Mitigation - T1130 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1130 - webarchive
• https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning - webarchive
• https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec - webarchive

Associated metadata

Metadata key	Value
external_id	T1130

Modify Existing Service Mitigation - T1031

Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Toolkits like the PowerSploit framework contain the PowerUp modules that can be used to explore systems for Privilege Escalation weaknesses. (Citation: Powersploit)

Identify and block potentially malicious software that may be executed through service abuse by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.

Internal MISP references

UUID fe0aeb41-1a51-4152-8467-628256ea6adf which can be used as unique global reference for Modify Existing Service Mitigation - T1031 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1031 - webarchive
• https://github.com/mattifestation/PowerSploit - webarchive

Associated metadata

Metadata key	Value
external_id	T1031

Remote File Copy Mitigation - T1105

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID cdecc44a-1dbf-4c1f-881c-f21e3f47272a which can be used as unique global reference for Remote File Copy Mitigation - T1105 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1105 - webarchive

Associated metadata

Metadata key	Value
external_id	T1105

Graphical User Interface Mitigation - T1061

Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to log into remote interactive sessions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) and Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID aaa92b37-f96c-4a0a-859c-b1cb6faeb13d which can be used as unique global reference for Graphical User Interface Mitigation - T1061 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1061 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1061

Application Deployment Software Mitigation - T1017

Grant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation.

If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.

Internal MISP references

UUID c88151a5-fe3f-4773-8147-d801587065a4 which can be used as unique global reference for Application Deployment Software Mitigation - T1017 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1017 - webarchive

Associated metadata

Metadata key	Value
external_id	T1017

Credentials in Files Mitigation - T1081

Establish an organizational policy that prohibits password storage in files. Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. Preemptively search for files containing passwords and remove when found. Restrict file shares to specific directories with access only to necessary users. Remove vulnerable Group Policy Preferences. (Citation: Microsoft MS14-025)

Internal MISP references

UUID 0472af99-f25c-4abe-9fce-010fa3450e72 which can be used as unique global reference for Credentials in Files Mitigation - T1081 in MISP communities and other software using the MISP galaxy

External references

• http://support.microsoft.com/kb/2962486 - webarchive
• https://attack.mitre.org/mitigations/T1081 - webarchive

Associated metadata

Metadata key	Value
external_id	T1081

Remote System Discovery Mitigation - T1018

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 9a902722-cecd-4fbe-a6c9-49333aa0f8c2 which can be used as unique global reference for Remote System Discovery Mitigation - T1018 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1018 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1018

Indirect Command Execution Mitigation - T1202

Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities and file types/locations used to invoke malicious execution.(Citation: SpectorOPs SettingContent-ms Jun 2018)

Internal MISP references

UUID 1e614ba5-2fc5-4464-b512-2ceafb14d76d which can be used as unique global reference for Indirect Command Execution Mitigation - T1202 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1202 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1202

XSL Script Processing Mitigation - T1220

Windows Management Instrumentation and/or msxsl.exe may or may not be used within a given environment. Disabling WMI may cause system instability and should be evaluated to assess the impact to a network. If msxsl.exe is unnecessary, then block its execution to prevent abuse by adversaries.

Internal MISP references

UUID 7708ac15-4beb-4863-a1a5-da2d63fb8a3c which can be used as unique global reference for XSL Script Processing Mitigation - T1220 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1220 - webarchive

Associated metadata

Metadata key	Value
external_id	T1220

Standard Cryptographic Protocol Mitigation - T1032

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often. (Citation: University of Birmingham C2)

Internal MISP references

UUID a766ce73-5583-48f3-b7c0-0bb43c6ef8c7 which can be used as unique global reference for Standard Cryptographic Protocol Mitigation - T1032 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1032 - webarchive

Associated metadata

Metadata key	Value
external_id	T1032

Custom Cryptographic Protocol Mitigation - T1024

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Since the custom protocol used may not adhere to typical protocol standards, there may be opportunities to signature the traffic on a network level for detection. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID a569295c-a093-4db4-9fb4-7105edef85ad which can be used as unique global reference for Custom Cryptographic Protocol Mitigation - T1024 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1024 - webarchive

Associated metadata

Metadata key	Value
external_id	T1024

System Information Discovery Mitigation - T1082

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID c620e3a1-fff5-424f-abea-d2b0f3616f67 which can be used as unique global reference for System Information Discovery Mitigation - T1082 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1082 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1082

Windows Remote Management Mitigation - T1028

Disable the WinRM service. If the service is necessary, lock down critical enclaves with separate WinRM infrastructure, accounts, and permissions. Follow WinRM best practices on configuration of authentication methods and use of host firewalls to restrict WinRM access to allow communication only to/from specific devices. (Citation: NSA Spotting)

Internal MISP references

UUID 3e9f8875-d2f7-4380-a578-84393bd3b025 which can be used as unique global reference for Windows Remote Management Mitigation - T1028 in MISP communities and other software using the MISP galaxy

External references

• https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm - webarchive
• https://attack.mitre.org/mitigations/T1028 - webarchive

Associated metadata

Metadata key	Value
external_id	T1028

Commonly Used Port Mitigation - T1043

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID 7c1796c7-9fc3-4c3e-9416-527295bf5d95 which can be used as unique global reference for Commonly Used Port Mitigation - T1043 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1043 - webarchive

Associated metadata

Metadata key	Value
external_id	T1043

Security Software Discovery Mitigation - T1063

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about local security software, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID bd2554b8-634f-4434-a986-9b49c29da2ae which can be used as unique global reference for Security Software Discovery Mitigation - T1063 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1063 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1063

Network Service Scanning Mitigation - T1046

Use network intrusion detection/prevention systems to detect and prevent remote service scans. Ensure that unnecessary ports and services are closed and proper network segmentation is followed to protect critical servers and devices.

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services running on remote systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID d256cb63-b021-4b4a-bb6d-1b42eea179a3 which can be used as unique global reference for Network Service Scanning Mitigation - T1046 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1046 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1046

Application Isolation and Sandboxing - M1048

Restrict execution of code to a virtual environment on or in transit to an endpoint system.

Internal MISP references

UUID b9f0c069-abbe-4a07-a245-2481219a1463 which can be used as unique global reference for Application Isolation and Sandboxing - M1048 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1048 - webarchive

Associated metadata

Metadata key	Value
external_id	M1048

Related clusters

To see the related clusters, click here.

Inhibit System Recovery Mitigation - T1490

Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery.

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID bb25b897-bfc7-4128-839d-52e9764dbfa6 which can be used as unique global reference for Inhibit System Recovery Mitigation - T1490 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1490 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
• https://www.ready.gov/business/implementation/IT - webarchive

Associated metadata

Metadata key	Value
external_id	T1490

Uncommonly Used Port Mitigation - T1065

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID a0d8db1d-a731-4428-8209-c07175f4b1fe which can be used as unique global reference for Uncommonly Used Port Mitigation - T1065 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1065 - webarchive

Associated metadata

Metadata key	Value
external_id	T1065

Pass the Hash Mitigation - T1075

Monitor systems and domain logs for unusual credential logon activity. Prevent access to Valid Accounts. Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.

Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons. (Citation: GitHub IAD Secure Host Baseline UAC Filtering)

Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform Lateral Movement between systems. Ensure that built-in and created local administrator accounts have complex, unique passwords. Do not allow a domain user to be in the local administrator group on multiple systems.

Internal MISP references

UUID bcee7b05-89a6-41a5-b7aa-fce4da7ede9e which can be used as unique global reference for Pass the Hash Mitigation - T1075 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1075 - webarchive
• https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml - webarchive

Associated metadata

Metadata key	Value
external_id	T1075

Remote Desktop Protocol Mitigation - T1076

Disable the RDP service if it is unnecessary, remove unnecessary accounts and groups from Remote Desktop Users groups, and enable firewall rules to block RDP traffic between network security zones. Audit the Remote Desktop Users group membership regularly. Remove the local Administrators group from the list of groups allowed to log in through RDP. Limit remote user permissions if remote access is necessary. Use remote desktop gateways and multifactor authentication for remote logins. (Citation: Berkley Secure) Do not leave RDP accessible from the internet. Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server. (Citation: Windows RDP Sessions)

Internal MISP references

UUID 53b3b027-bed3-480c-9101-1247047d0fe6 which can be used as unique global reference for Remote Desktop Protocol Mitigation - T1076 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1076 - webarchive
• https://security.berkeley.edu/node/94 - webarchive
• https://technet.microsoft.com/en-us/library/cc754272(v=ws.11).aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1076

NTFS File Attributes Mitigation - T1096

It may be difficult or inadvisable to block access to EA and ADSs. (Citation: Microsoft ADS Mar 2014) (Citation: Symantec ADS May 2009) Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to hide information in EA and ADSs by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded. (Citation: InsiderThreat NTFS EA Oct 2017)

Internal MISP references

UUID ac008435-af58-4f77-988a-c9b96c5920f5 which can be used as unique global reference for NTFS File Attributes Mitigation - T1096 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1096 - webarchive
• https://blog.stealthbits.com/attack-step-3-persistence-ntfs-extended-attributes-file-system-attacks - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/ - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
• https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore - webarchive

Associated metadata

Metadata key	Value
external_id	T1096

Permission Groups Discovery Mitigation - T1069

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID dd9a85ad-6a92-4986-a215-b01d0ce7b987 which can be used as unique global reference for Permission Groups Discovery Mitigation - T1069 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1069 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1069

Windows Admin Shares Mitigation - T1077

Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.

Identify unnecessary system utilities or potentially malicious software that may be used to leverage SMB and the Windows admin shares, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 308855d1-078b-47ad-8d2a-8f9b2713ffb5 which can be used as unique global reference for Windows Admin Shares Mitigation - T1077 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1077 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1077

Pass the Ticket Mitigation - T1097

Monitor domains for unusual credential logons. Limit credential overlap across systems to prevent the damage of credential compromise. Ensure that local administrator accounts have complex, unique passwords. Do not allow a user to be a local administrator for multiple systems. Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts. (Citation: ADSecurity AD Kerberos Attacks)

For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. (Citation: CERT-EU Golden Ticket Protection)

Attempt to identify and block unknown or malicious software that could be used to obtain Kerberos tickets and use them to authenticate by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 3a476d83-43eb-4fad-9b75-b1febd834e3d which can be used as unique global reference for Pass the Ticket Mitigation - T1097 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://adsecurity.org/?p=556 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1097 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1097

Disabling Security Tools Mitigation - T1089

Ensure proper process, registry, and file permissions are in place to prevent adversaries from disabling or interfering with security services.

Internal MISP references

UUID 388606d3-f38f-45bf-885d-a9dc9df3c8a8 which can be used as unique global reference for Disabling Security Tools Mitigation - T1089 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1089 - webarchive

Associated metadata

Metadata key	Value
external_id	T1089

Space after Filename Mitigation - T1151

Prevent files from having a trailing space after the extension.

Internal MISP references

UUID 02f0f92a-0a51-4c94-9bda-6437b9a93f22 which can be used as unique global reference for Space after Filename Mitigation - T1151 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1151 - webarchive

Associated metadata

Metadata key	Value
external_id	T1151

Credentials in Registry Mitigation - T1214

Do not store credentials within the Registry. Proactively search for credentials within Registry keys and attempt to remediate the risk. If necessary software must store credentials, then ensure those accounts have limited permissions so they cannot be abused if obtained by an adversary.

Internal MISP references

UUID 4490fee2-5c70-4db3-8db5-8d88767dbd55 which can be used as unique global reference for Credentials in Registry Mitigation - T1214 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1214 - webarchive

Associated metadata

Metadata key	Value
external_id	T1214

System Time Discovery Mitigation - T1124

Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.

Identify unnecessary system utilities or potentially malicious software that may be used to acquire system time information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 82d8e990-c901-4aed-8596-cc002e7eb307 which can be used as unique global reference for System Time Discovery Mitigation - T1124 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1124 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1124

Browser Bookmark Discovery Mitigation - T1217

File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. For example, mitigating accesses to browser bookmark files will likely have unintended side effects such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 1c0b39f9-a0c5-42b2-abd8-dc8f1eb74e67 which can be used as unique global reference for Browser Bookmark Discovery Mitigation - T1217 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1217 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1217

Netsh Helper DLL Mitigation - T1128

Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by Windows utilities like AppLocker. (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker)

Internal MISP references

UUID 624d063d-cda8-4616-b4e4-54c04e427aec which can be used as unique global reference for Netsh Helper DLL Mitigation - T1128 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1128 - webarchive

Associated metadata

Metadata key	Value
external_id	T1128

Remote Access Tools Mitigation - T1219

Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access tools.

Network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to these services as well.

Use application whitelisting to mitigate use of and installation of unapproved software.

Internal MISP references

UUID af093bc8-7b59-4e2a-9da8-8e839b4c50c6 which can be used as unique global reference for Remote Access Tools Mitigation - T1219 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1219 - webarchive

Associated metadata

Metadata key	Value
external_id	T1219

External Remote Services Mitigation - T1133

Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Disable or block remotely available services such as Windows Remote Management. Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of Multi-Factor Authentication Interception techniques for some two-factor authentication implementations.

Internal MISP references

UUID d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2 which can be used as unique global reference for External Remote Services Mitigation - T1133 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1133 - webarchive

Associated metadata

Metadata key	Value
external_id	T1133

Access Token Manipulation Mitigation - T1134

Access tokens are an integral part of the security system within Windows and cannot be turned off. However, an attacker must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require to do their job.

Any user can also spoof access tokens if they have legitimate credentials. Follow mitigation guidelines for preventing adversary use of Valid Accounts. Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. (Citation: Microsoft Create Token) Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. (Citation: Microsoft Replace Process Token)

Also limit opportunities for adversaries to increase privileges by limiting Privilege Escalation opportunities.

Internal MISP references

UUID c61fee9f-16fb-4f8c-bbf0-869093fcd4a6 which can be used as unique global reference for Access Token Manipulation Mitigation - T1134 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1134 - webarchive
• https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object - webarchive
• https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token - webarchive

Associated metadata

Metadata key	Value
external_id	T1134

Network Share Discovery Mitigation - T1135

Identify unnecessary system utilities or potentially malicious software that may be used to acquire network share information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 1f34230d-b6ae-4dc7-8599-78c18820bd21 which can be used as unique global reference for Network Share Discovery Mitigation - T1135 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1135 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1135

Dynamic Data Exchange Mitigation - T1173

Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. (Citation: Microsoft DDE Advisory Nov 2017) (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: GitHub Disable DDEAUTO Oct 2017) Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel. (Citation: Microsoft ADV170021 Dec 2017)

Ensure Protected View is enabled (Citation: Microsoft Protected View) and consider disabling embedded files in Office programs, such as OneNote, not enrolled in Protected View. (Citation: Enigma Reviving DDE Jan 2018) (Citation: GitHub Disable DDEAUTO Oct 2017)

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs. (Citation: Microsoft ASR Nov 2017) (Citation: Enigma Reviving DDE Jan 2018)

Internal MISP references

UUID 80c91478-ac87-434f-bee7-11f37aec4d74 which can be used as unique global reference for Dynamic Data Exchange Mitigation - T1173 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1173 - webarchive
• https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction - webarchive
• https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b - webarchive
• https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021 - webarchive
• https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee - webarchive
• https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653 - webarchive
• https://technet.microsoft.com/library/security/4053440 - webarchive
• https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/ - webarchive

Associated metadata

Metadata key	Value
external_id	T1173

Clear Command History Mitigation - T1146

Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history files. Additionally, making these environment variables readonly can make sure that the history is preserved (Citation: Securing bash history).

Internal MISP references

UUID 3e7018e9-7389-48e7-9208-0bdbcbba9483 which can be used as unique global reference for Clear Command History Mitigation - T1146 in MISP communities and other software using the MISP galaxy

External references

• http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory - webarchive
• https://attack.mitre.org/mitigations/T1146 - webarchive

Associated metadata

Metadata key	Value
external_id	T1146

Password Filter DLL Mitigation - T1174

Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages. (Citation: Microsoft Install Password Filter n.d)

Internal MISP references

UUID 00d7d21b-69d6-4797-88a2-c86f3fc97651 which can be used as unique global reference for Password Filter DLL Mitigation - T1174 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1174 - webarchive
• https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1174

Spearphishing via Service Mitigation - T1194

Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.

Because this technique involves use of legitimate services and user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. To prevent the downloads from executing, application whitelisting can be used. Anti-virus can also automatically quarantine suspicious files.

Internal MISP references

UUID c861bcb1-946f-450d-ab75-d4e3c1103a56 which can be used as unique global reference for Spearphishing via Service Mitigation - T1194 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1194 - webarchive

Associated metadata

Metadata key	Value
external_id	T1194

Supply Chain Compromise Mitigation - T1195

Apply supply chain risk management (SCRM) practices and procedures (Citation: MITRE SE Guide 2014), such as supply chain analysis and appropriate risk management, throughout the life-cycle of a system.

Leverage established software development lifecycle (SDLC) practices (Citation: NIST Supply Chain 2012):

• Uniquely Identify Supply Chain Elements, Processes, and Actors
• Limit Access and Exposure within the Supply Chain
• Establish and Maintain the Provenance of Elements, Processes, Tools, and Data
• Share Information within Strict Limits
• Perform SCRM Awareness and Training
• Use Defensive Design for Systems, Elements, and Processes
• Perform Continuous Integrator Review
• Strengthen Delivery Mechanisms
• Assure Sustainment Activities and Processes
• Manage Disposal and Final Disposition Activities throughout the System or Element Life Cycle

A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well. (Citation: OWASP Top 10 2017)

Internal MISP references

UUID 97d8eadb-0459-4c1d-bf1a-e053bd75df61 which can be used as unique global reference for Supply Chain Compromise Mitigation - T1195 in MISP communities and other software using the MISP galaxy

External references

• http://dx.doi.org/10.6028/NIST.IR.7622 - webarchive
• https://attack.mitre.org/mitigations/T1195 - webarchive
• https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/ - webarchive
• https://www.mitre.org/sites/default/files/publications/se-guide-book-interactive.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	T1195

Setuid and Setgid Mitigation - T1166

Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system.

Internal MISP references

UUID 073cc04d-ac46-4f5a-85d7-83a91ecd6a19 which can be used as unique global reference for Setuid and Setgid Mitigation - T1166 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1166 - webarchive

Associated metadata

Metadata key	Value
external_id	T1166

Local Job Scheduling Mitigation - T1168

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized users can create scheduled jobs. Identify and block unnecessary system utilities or potentially malicious software that may be used to schedule jobs using whitelisting tools.

Internal MISP references

UUID c47a9b55-8f61-4b82-b833-1db6242c754e which can be used as unique global reference for Local Job Scheduling Mitigation - T1168 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1168 - webarchive

Associated metadata

Metadata key	Value
external_id	T1168

Control Panel Items Mitigation - T1196

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific Windows API calls and/or execution of particular file extensions will likely have unintended side effects, such as preventing legitimate software (i.e., drivers and configuration tools) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.

Restrict storage and execution of Control Panel items to protected directories, such as C:\Windows, rather than user directories.

Index known safe Control Panel items and block potentially malicious software using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown executable files.

Consider fully enabling User Account Control (UAC) to impede system-wide changes from illegitimate administrators. (Citation: Microsoft UAC)

Internal MISP references

UUID 3a41b366-cfd6-4af2-a6e7-3c6e3c4ebcef which can be used as unique global reference for Control Panel Items Mitigation - T1196 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1196 - webarchive
• https://msdn.microsoft.com/library/windows/desktop/dn742497.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1196

Compiled HTML File Mitigation - T1223

Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files. (Citation: PaloAlto Preventing Opportunistic Attacks Apr 2016) Also consider using application whitelisting to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Internal MISP references

UUID 08e02f67-ea09-4f77-a70b-414963c29fc2 which can be used as unique global reference for Compiled HTML File Mitigation - T1223 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1223 - webarchive
• https://live.paloaltonetworks.com/t5/Ignite-2016-Blog/Breakout-Recap-Cybersecurity-Best-Practices-Part-1-Preventing/ba-p/75913 - webarchive

Associated metadata

Metadata key	Value
external_id	T1223

Domain Trust Discovery Mitigation - T1482

Map the trusts within existing domains/forests and keep trust relationships to a minimum. Employ network segmentation for sensitive domains.(Citation: Harmj0y Domain Trusts)

Internal MISP references

UUID 159b4ee4-8fa1-44a5-b095-2973f3c7e25e which can be used as unique global reference for Domain Trust Discovery Mitigation - T1482 in MISP communities and other software using the MISP galaxy

External references

• http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ - webarchive
• https://attack.mitre.org/mitigations/T1482 - webarchive

Associated metadata

Metadata key	Value
external_id	T1482

Stored Data Manipulation Mitigation - T1492

Identify critical business and system processes that may be targeted by adversaries and work to secure the data related to those processes against tampering. Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. Consider encrypting important information to reduce an adversaries ability to perform tailor data modifications. Where applicable, examine using file monitoring software to check integrity on important files and directories as well as take corrective actions when unauthorized changes are detected.

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.

Internal MISP references

UUID e9362d25-4427-446b-99e8-b8f0c3b86615 which can be used as unique global reference for Stored Data Manipulation Mitigation - T1492 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1492 - webarchive
• https://www.ready.gov/business/implementation/IT - webarchive

Associated metadata

Metadata key	Value
external_id	T1492

Domain Generation Algorithms Mitigation - T1483

This technique may be difficult to mitigate since the domains can be registered just before they are used, and disposed shortly after. Malware researchers can reverse-engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA Brute Force) Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.(Citation: Akamai DGA Mitigation) Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost. In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID 3bd2cf87-1ceb-4317-9aee-3e7dc713261b which can be used as unique global reference for Domain Generation Algorithms Mitigation - T1483 in MISP communities and other software using the MISP galaxy

External references

• http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf - webarchive
• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1483 - webarchive
• https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html - webarchive
• https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/ - webarchive

Associated metadata

Metadata key	Value
external_id	T1483

Transmitted Data Manipulation Mitigation - T1493

Identify critical business and system processes that may be targeted by adversaries and work to secure communications related to those processes against tampering. Encrypt all important data flows to reduce the impact of tailored modifications on data in transit.

Internal MISP references

UUID 245075bc-f992-4d89-af8c-834c53d403f4 which can be used as unique global reference for Transmitted Data Manipulation Mitigation - T1493 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1493 - webarchive

Associated metadata

Metadata key	Value
external_id	T1493

Runtime Data Manipulation Mitigation - T1494

Identify critical business and system processes that may be targeted by adversaries and work to secure those systems against tampering. Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code. Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 337172b1-b003-4034-8a3f-1d89a71da628 which can be used as unique global reference for Runtime Data Manipulation Mitigation - T1494 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1494 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1494

LLMNR/NBT-NS Poisoning Mitigation - T1171

Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. (Citation: ADSecurity Windows Secure Baseline)

Use host-based security software to block LLMNR/NetBIOS traffic. Enabling SMB Signing can stop NTLMv2 relay attacks.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)(Citation: Microsoft SMB Packet Signing)

Internal MISP references

UUID 54246e2e-683f-4bf2-be4c-d7d5a60e7d22 which can be used as unique global reference for LLMNR/NBT-NS Poisoning Mitigation - T1171 in MISP communities and other software using the MISP galaxy

External references

• https://adsecurity.org/?p=3299 - webarchive
• https://attack.mitre.org/mitigations/T1171 - webarchive
• https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html - webarchive
• https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html - webarchive
• https://docs.microsoft.com/en-us/previous-versions/system-center/operations-manager-2005/cc180803(v=technet.10) - webarchive

Associated metadata

Metadata key	Value
external_id	T1171

Restrict Web-Based Content - M1021

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Internal MISP references

UUID 21da4fd4-27ad-4e9c-b93d-0b9b14d02c96 which can be used as unique global reference for Restrict Web-Based Content - M1021 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1021 - webarchive

Associated metadata

Metadata key	Value
external_id	M1021

Related clusters

To see the related clusters, click here.

Multi-Stage Channels Mitigation - T1104

Command and control infrastructure used in a multi-stage channel may be blocked if known ahead of time. If unique signatures are present in the C2 traffic, they could also be used as the basis of identifying and blocking the channel. (Citation: University of Birmingham C2)

Internal MISP references

UUID 514e7371-a344-4de7-8ec3-3aa42b801d52 which can be used as unique global reference for Multi-Stage Channels Mitigation - T1104 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1104 - webarchive

Associated metadata

Metadata key	Value
external_id	T1104

Third-party Software Mitigation - T1072

Evaluate the security of third-party software that could be used in the enterprise environment. Ensure that access to management systems for third-party systems is limited, monitored, and secure. Have a strict approval policy for use of third-party systems.

Grant access to Third-party systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multi-factor authentication. Verify that account credentials that may be used to access third-party systems are unique and not used throughout the enterprise network. Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure third-party systems are regularly patched by users or the provider to prevent potential remote access through Exploitation for Privilege Escalation.

Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required.

Where the third-party system is used for deployment services, ensure that it can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the third-party system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.

Internal MISP references

UUID 160af6af-e733-4b6a-a04a-71c620ac0930 which can be used as unique global reference for Third-party Software Mitigation - T1072 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1072 - webarchive

Associated metadata

Metadata key	Value
external_id	T1072

DLL Side-Loading Mitigation - T1073

Update software regularly. Install software in write-protected locations. Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.

Internal MISP references

UUID 7a14d974-f3d9-4e4e-9b7d-980385762908 which can be used as unique global reference for DLL Side-Loading Mitigation - T1073 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1073 - webarchive

Associated metadata

Metadata key	Value
external_id	T1073

Re-opened Applications Mitigation - T1164

Holding the Shift key while logging in prevents apps from opening automatically (Citation: Re-Open windows on Mac). This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no.

Internal MISP references

UUID 61d02387-351a-453e-a575-160a9abc3e04 which can be used as unique global reference for Re-opened Applications Mitigation - T1164 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1164 - webarchive
• https://support.apple.com/en-us/HT204005 - webarchive

Associated metadata

Metadata key	Value
external_id	T1164

SID-History Injection Mitigation - T1178

Clean up SID-History attributes after legitimate account migration is complete.

Consider applying SID Filtering to interforest trusts, such as forest trusts and external trusts, to exclude SID-History from requests to access domain resources. SID Filtering ensures that any authentication requests over a trust only contain SIDs of security principals from the trusted domain (i.e. preventing the trusted domain from claiming a user has membership in groups outside of the domain).

SID Filtering of forest trusts is enabled by default, but may have been disabled in some cases to allow a child domain to transitively access forest trusts. SID Filtering of external trusts is automatically enabled on all created external trusts using Server 2003 or later domain controllers. (Citation: Microsoft Trust Considerations Nov 2014) (Citation: Microsoft SID Filtering Quarantining Jan 2009) However note that SID Filtering is not automatically applied to legacy trusts or may have been deliberately disabled to allow inter-domain access to resources.

SID Filtering can be applied by: (Citation: Microsoft Netdom Trust Sept 2012)

• Disabling SIDHistory on forest trusts using the netdom tool (netdom trust /domain: /EnableSIDHistory:no on the domain controller).
• Applying SID Filter Quarantining to external trusts using the netdom tool (netdom trust /domain: /quarantine:yes on the domain controller) Applying SID Filtering to domain trusts within a single forest is not recommended as it is an unsupported configuration and can cause breaking changes. (Citation: Microsoft Netdom Trust Sept 2012) (Citation: AdSecurity Kerberos GT Aug 2015) If a domain within a forest is untrustworthy then it should not be a member of the forest. In this situation it is necessary to first split the trusted and untrusted domains into separate forests where SID Filtering can be applied to an interforest trust.

Internal MISP references

UUID b91c2f9e-c1a0-44df-95f0-9e7c9d1d5e55 which can be used as unique global reference for SID-History Injection Mitigation - T1178 in MISP communities and other software using the MISP galaxy

External references

• https://adsecurity.org/?p=1640 - webarchive
• https://attack.mitre.org/mitigations/T1178 - webarchive
• https://technet.microsoft.com/library/cc755321.aspx - webarchive
• https://technet.microsoft.com/library/cc794757.aspx - webarchive
• https://technet.microsoft.com/library/cc835085.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1178

Multi-hop Proxy Mitigation - T1188

Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network black and white lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting.

Internal MISP references

UUID 752db800-ea54-4e7a-b4c1-2a0292350ea7 which can be used as unique global reference for Multi-hop Proxy Mitigation - T1188 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1188 - webarchive

Associated metadata

Metadata key	Value
external_id	T1188

Drive-by Compromise Mitigation - T1189

Drive-by compromise relies on there being a vulnerable piece of software on the client end systems. Use modern browsers with security features turned on. Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique.

For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. Script blocking extensions can help prevent the execution of JavaScript that may commonly be used during the exploitation process.

Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility.

Internal MISP references

UUID 7a4d0054-53cd-476f-88af-955dddc80ee0 which can be used as unique global reference for Drive-by Compromise Mitigation - T1189 in MISP communities and other software using the MISP galaxy

External references

• https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/ - webarchive
• https://attack.mitre.org/mitigations/T1189 - webarchive
• https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/ - webarchive
• https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/ - webarchive
• https://en.wikipedia.org/wiki/Control-flow_integrity - webarchive

Associated metadata

Metadata key	Value
external_id	T1189

Data Obfuscation Mitigation - T1001

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e which can be used as unique global reference for Data Obfuscation Mitigation - T1001 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1001 - webarchive

Associated metadata

Metadata key	Value
external_id	T1001

Web Shell Mitigation - T1100

Ensure that externally facing Web servers are patched regularly to prevent adversary access through Exploitation for Privilege Escalation to gain remote code access or through file inclusion weaknesses that may allow adversaries to upload files or scripts that are automatically served as Web pages.

Audit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network. (Citation: US-CERT Alert TA15-314A Web Shells)

Internal MISP references

UUID bcc91b8c-f104-4710-964e-1d5409666736 which can be used as unique global reference for Web Shell Mitigation - T1100 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1100 - webarchive
• https://www.us-cert.gov/ncas/alerts/TA15-314A - webarchive

Associated metadata

Metadata key	Value
external_id	T1100

Automated Exfiltration Mitigation - T1020

Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 2497ac92-e751-4391-82c6-1b86e34d0294 which can be used as unique global reference for Automated Exfiltration Mitigation - T1020 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1020 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1020

Hardware Additions Mitigation - T1200

Establish network access control policies, such as using device certificates and the 802.1x standard. (Citation: Wikipedia 802.1x) Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.

Block unknown devices and accessories by endpoint security configuration and monitoring agent.

Internal MISP references

UUID 54e8722d-2faf-4b1b-93b6-6cbf9551669f which can be used as unique global reference for Hardware Additions Mitigation - T1200 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1200 - webarchive
• https://en.wikipedia.org/wiki/IEEE_802.1X - webarchive

Associated metadata

Metadata key	Value
external_id	T1200

Data Compressed Mitigation - T1002

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to compress files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

If network intrusion prevention or data loss prevention tools are set to block specific file types from leaving the network over unencrypted channels, then an adversary may move to an encrypted channel.

Internal MISP references

UUID 28adf6fd-ab6c-4553-9aa7-cef18a191f33 which can be used as unique global reference for Data Compressed Mitigation - T1002 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1002 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1002

Credential Dumping Mitigation - T1003

Windows

Monitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using Valid Accounts if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)

On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. (Citation: Microsoft LSA)

Identify and block potentially malicious software that may be used to dump credentials by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. (Citation: TechNet Credential Guard) It also does not protect against all forms of credential dumping. (Citation: GitHub SHB Credential Guard)

Manage the access control list for “Replicating Directory Changes” and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL)

Consider disabling or restricting NTLM traffic. (Citation: Microsoft Disable NTLM Nov 2012)

Linux

Scraping the passwords from memory requires root privileges. Follow best practices in restricting access to escalated privileges to avoid hostile programs from accessing such sensitive regions of memory.

Internal MISP references

UUID aeff5887-8f9e-48d5-a523-9b395e2ce80a which can be used as unique global reference for Credential Dumping Mitigation - T1003 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://adsecurity.org/?p=1729 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1003 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach - webarchive
• https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard - webarchive
• https://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr - webarchive
• https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard - webarchive
• https://technet.microsoft.com/en-us/library/dn408187.aspx - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
• https://technet.microsoft.com/library/jj865668.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1003

System Partition Integrity - M1004

Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.

Internal MISP references

UUID 7b1cf46f-784b-405a-a8dd-4624c19d8321 which can be used as unique global reference for System Partition Integrity - M1004 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1004 - webarchive

Associated metadata

Metadata key	Value
external_id	M1004

Related clusters

To see the related clusters, click here.

Network Sniffing Mitigation - T1040

Ensure that all wireless traffic is encrypted appropriately. Use Kerberos, SSL, and multifactor authentication wherever possible. Monitor switches and network for span port usage, ARP/DNS poisoning, and router reconfiguration.

Identify and block potentially malicious software that may be used to sniff or analyze network traffic by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4 which can be used as unique global reference for Network Sniffing Mitigation - T1040 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1040 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1040

New Service Mitigation - T1050

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new services.

Identify and block unnecessary system utilities or potentially malicious software that may be used to create services by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID b7b2c89c-09c1-4b71-ae7c-000ec2893aab which can be used as unique global reference for New Service Mitigation - T1050 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1050 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1050

Fallback Channels Mitigation - T1008

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID 515f6584-fa98-44fe-a4e8-e428c7188514 which can be used as unique global reference for Fallback Channels Mitigation - T1008 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1008 - webarchive

Associated metadata

Metadata key	Value
external_id	T1008

Binary Padding Mitigation - T1009

Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 16a8ac85-a06f-460f-ad22-910167bd7332 which can be used as unique global reference for Binary Padding Mitigation - T1009 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1009 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1009

Encrypt Network Traffic - M1009

Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.

iOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.

Android's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).

Use of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.

Internal MISP references

UUID 8220b57e-c400-4525-bf69-f8edc6b389a8 which can be used as unique global reference for Encrypt Network Traffic - M1009 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1009 - webarchive
• https://developer.android.com/training/articles/security-config.html - webarchive
• https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/ - webarchive

Associated metadata

Metadata key	Value
external_id	M1009

Related clusters

To see the related clusters, click here.

Brute Force Mitigation - T1110

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy can create a denial of service condition and render environments un-usable, with all accounts being locked-out permanently. Use multifactor authentication. Follow best practices for mitigating access to Valid Accounts

Refer to NIST guidelines when creating passwords.(Citation: NIST 800-63-3)

Where possible, also enable multi factor authentication on external facing services.

Internal MISP references

UUID 4a99fecc-680b-448e-8fe7-8144c60d272c which can be used as unique global reference for Brute Force Mitigation - T1110 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1110 - webarchive
• https://pages.nist.gov/800-63-3/sp800-63b.html - webarchive

Associated metadata

Metadata key	Value
external_id	T1110

Query Registry Mitigation - T1012

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 0640214c-95af-4c04-a574-2a1ba6dda00b which can be used as unique global reference for Query Registry Mitigation - T1012 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1012 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1012

Web Service Mitigation - T1102

Firewalls and Web proxies can be used to enforce external network communication policy. It may be difficult for an organization to block particular services because so many of them are commonly used during the course of business.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol or encoded commands used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID 4689b9fb-dca4-473e-831b-34717ad50c97 which can be used as unique global reference for Web Service Mitigation - T1102 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1102 - webarchive

Associated metadata

Metadata key	Value
external_id	T1102

Application Developer Guidance - M1013

This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.

Internal MISP references

UUID 25dc1ce8-eb55-4333-ae30-a7cb4f5894a1 which can be used as unique global reference for Application Developer Guidance - M1013 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1013 - webarchive

Associated metadata

Metadata key	Value
external_id	M1013

Related clusters

To see the related clusters, click here.

AppInit DLLs Mitigation - T1103

Upgrade to Windows 8 or later and enable secure boot.

Identify and block potentially malicious software that may be executed through AppInit DLLs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

Internal MISP references

UUID 10571bf2-8073-4edf-a71c-23bad225532e which can be used as unique global reference for AppInit DLLs Mitigation - T1103 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1103 - webarchive

Associated metadata

Metadata key	Value
external_id	T1103

Network Intrusion Prevention - M1031

Use intrusion detection signatures to block traffic at network boundaries.

Internal MISP references

UUID 12241367-a8b7-49b4-b86e-2236901ba50c which can be used as unique global reference for Network Intrusion Prevention - M1031 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1031 - webarchive

Associated metadata

Metadata key	Value
external_id	M1031

Related clusters

To see the related clusters, click here.

Port Monitors Mitigation - T1013

Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.

Internal MISP references

UUID 1c6bc7f3-d517-4971-aed4-8f939090846b which can be used as unique global reference for Port Monitors Mitigation - T1013 in MISP communities and other software using the MISP galaxy

External references

• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://attack.mitre.org/mitigations/T1013 - webarchive

Associated metadata

Metadata key	Value
external_id	T1013

Encrypt Sensitive Information - M1041

Protect sensitive information with strong encryption.

Internal MISP references

UUID feff9142-e8c2-46f4-842b-bd6fb3d41157 which can be used as unique global reference for Encrypt Sensitive Information - M1041 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1041 - webarchive

Associated metadata

Metadata key	Value
external_id	M1041

Related clusters

To see the related clusters, click here.

Active Directory Configuration - M1015

Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.

Internal MISP references

UUID e3388c78-2a8d-47c2-8422-c1398b324462 which can be used as unique global reference for Active Directory Configuration - M1015 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1015 - webarchive

Associated metadata

Metadata key	Value
external_id	M1015

Related clusters

To see the related clusters, click here.

Accessibility Features Mitigation - T1015

To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later. (Citation: TechNet RDP NLA)

If possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network. (Citation: TechNet RDP Gateway)

Identify and block potentially malicious software that may be executed by an adversary with this technique by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID c085476e-1964-4d7f-86e1-d8657a7741e8 which can be used as unique global reference for Accessibility Features Mitigation - T1015 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1015 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/cc731150.aspx - webarchive
• https://technet.microsoft.com/en-us/library/cc732713.aspx - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1015

Plist Modification Mitigation - T1150

Prevent plist files from being modified by users by making them read-only.

Internal MISP references

UUID 2d704e56-e689-4011-b989-bf4e025a8727 which can be used as unique global reference for Plist Modification Mitigation - T1150 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1150 - webarchive

Associated metadata

Metadata key	Value
external_id	T1150

Systemd Service Mitigation - T1501

The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. Limit user access to system utilities such as systemctl to only users who have a legitimate need. Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. Additionally, the installation of software commonly adds and changes systemd service unit files. Restrict software installation to trusted repositories only and be cautious of orphaned software packages. Utilize malicious code protection and application whitelisting to mitigate the ability of malware to create or modify systemd services.

Internal MISP references

UUID 83130e62-bca6-4a81-bd4b-8e233bd49db6 which can be used as unique global reference for Systemd Service Mitigation - T1501 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1501 - webarchive

Associated metadata

Metadata key	Value
external_id	T1501

Shared Webroot Mitigation - T1051

Networks that allow for open development and testing of Web content and allow users to set up their own Web servers on the enterprise network may be particularly vulnerable if the systems and Web servers are not properly secured to limit privileged account use, unauthenticated network share access, and network/system isolation.

Ensure proper permissions on directories that are accessible through a Web server. Disallow remote access to the webroot or other directories used to serve Web content. Disable execution on directories within the webroot. Ensure that permissions of the Web server process are only what is required by not using built-in accounts; instead, create specific accounts to limit unnecessary access or permissions overlap across multiple systems. (Citation: acunetix Server Secuirty) (Citation: NIST Server Security July 2008)

Internal MISP references

UUID 43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5 which can be used as unique global reference for Shared Webroot Mitigation - T1051 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1051 - webarchive
• https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-123.pdf - webarchive
• https://www.acunetix.com/websitesecurity/webserver-security/ - webarchive

Associated metadata

Metadata key	Value
external_id	T1051

Launch Daemon Mitigation - T1160

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

Internal MISP references

UUID 402e92cd-5608-4f4b-9a34-a2c962e4bcd7 which can be used as unique global reference for Launch Daemon Mitigation - T1160 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1160 - webarchive

Associated metadata

Metadata key	Value
external_id	T1160

File Deletion Mitigation - T1107

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 34efb2fd-4dc2-40d4-a564-0c147c85034d which can be used as unique global reference for File Deletion Mitigation - T1107 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1107 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1107

User Account Management - M1018

Manage the creation, modification, use, and permissions associated to user accounts.

Internal MISP references

UUID 93e7968a-9074-4eac-8ae9-9f5200ec3317 which can be used as unique global reference for User Account Management - M1018 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1018 - webarchive

Associated metadata

Metadata key	Value
external_id	M1018

Related clusters

To see the related clusters, click here.

Redundant Access Mitigation - T1108

Identify and block potentially malicious software that may be used as a remote access tool, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID f9b3e5d9-7454-4b7d-bce6-27620e19924e which can be used as unique global reference for Redundant Access Mitigation - T1108 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1108 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1108

Component Firmware Mitigation - T1109

Prevent adversary access to privileged accounts or access necessary to perform this technique.

Consider removing and replacing system components suspected of being compromised.

Internal MISP references

UUID 676975b9-7e8e-463d-a31e-4ed2ecbfed81 which can be used as unique global reference for Component Firmware Mitigation - T1109 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1109 - webarchive

Associated metadata

Metadata key	Value
external_id	T1109

System Firmware Mitigation - T1019

Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Patch the BIOS and EFI as necessary. Use Trusted Platform Module technology. (Citation: TCG Trusted Platform Module)

Internal MISP references

UUID 25e53928-6f33-49b7-baee-8180578286f6 which can be used as unique global reference for System Firmware Mitigation - T1019 in MISP communities and other software using the MISP galaxy

External references

• http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf - webarchive
• https://attack.mitre.org/mitigations/T1019 - webarchive

Associated metadata

Metadata key	Value
external_id	T1019

Threat Intelligence Program - M1019

A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.

Internal MISP references

UUID 874c0166-e407-45c2-a1d9-e4e3a6570fd8 which can be used as unique global reference for Threat Intelligence Program - M1019 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1019 - webarchive

Associated metadata

Metadata key	Value
external_id	M1019

Related clusters

To see the related clusters, click here.

Data Encrypted Mitigation - T1022

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 2a8de25c-f743-4348-b101-3ee33ab5871b which can be used as unique global reference for Data Encrypted Mitigation - T1022 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1022 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1022

Shortcut Modification Mitigation - T1023

Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. (Citation: UCF STIG Symbolic Links)

Identify and block unknown, potentially malicious software that may be executed through shortcut modification by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID a13e35cc-8c90-4d77-a965-5461042c1612 which can be used as unique global reference for Shortcut Modification Mitigation - T1023 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1023 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
• https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482 - webarchive

Associated metadata

Metadata key	Value
external_id	T1023

User Execution Mitigation - T1204

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. Application whitelisting may be able to prevent the running of executables masquerading as other files.

If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .lnk, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and RAR that may be used to conceal malicious files in Obfuscated Files or Information.

If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct files in a way to avoid these systems.

Internal MISP references

UUID 548bf7ad-e19c-4d74-84bf-84ac4e57f505 which can be used as unique global reference for User Execution Mitigation - T1204 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1204 - webarchive

Associated metadata

Metadata key	Value
external_id	T1204

Restrict Registry Permissions - M1024

Restrict the ability to modify certain hives or keys in the Windows Registry.

Internal MISP references

UUID a2c36a5d-4058-475e-8e77-fff75e50d3b9 which can be used as unique global reference for Restrict Registry Permissions - M1024 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1024 - webarchive

Associated metadata

Metadata key	Value
external_id	M1024

Related clusters

To see the related clusters, click here.

User Account Control - M1052

Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.

Internal MISP references

UUID 2c2ad92a-d710-41ab-a996-1db143bb4808 which can be used as unique global reference for User Account Control - M1052 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1052 - webarchive

Associated metadata

Metadata key	Value
external_id	M1052

Related clusters

To see the related clusters, click here.

Privileged Process Integrity - M1025

Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.

Internal MISP references

UUID 72dade3e-1cba-4182-b3b3-a77ca52f02a1 which can be used as unique global reference for Privileged Process Integrity - M1025 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1025 - webarchive

Associated metadata

Metadata key	Value
external_id	M1025

Related clusters

To see the related clusters, click here.

Port Knocking Mitigation - T1205

Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.

Internal MISP references

UUID f6b7c116-0821-4eb7-9b24-62bd09b3e575 which can be used as unique global reference for Port Knocking Mitigation - T1205 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1205 - webarchive

Associated metadata

Metadata key	Value
external_id	T1205

Privileged Account Management - M1026

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Internal MISP references

UUID 9bb9e696-bff8-4ae1-9454-961fc7d91d5f which can be used as unique global reference for Privileged Account Management - M1026 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1026 - webarchive

Associated metadata

Metadata key	Value
external_id	M1026

Related clusters

To see the related clusters, click here.

Multiband Communication Mitigation - T1026

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID da987565-27b6-4b31-bbcd-74b909847116 which can be used as unique global reference for Multiband Communication Mitigation - T1026 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1026 - webarchive

Associated metadata

Metadata key	Value
external_id	T1026

Sudo Caching Mitigation - T1206

Setting the timestamp_timeout to 0 will require the user to input their password every time sudo is executed. Similarly, ensuring that the tty_tickets setting is enabled will prevent this leakage across tty sessions.

Internal MISP references

UUID dbf0186e-722d-4a0a-af6a-b3460f162f84 which can be used as unique global reference for Sudo Caching Mitigation - T1206 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1206 - webarchive

Associated metadata

Metadata key	Value
external_id	T1206

Operating System Configuration - M1028

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

Internal MISP references

UUID 2f316f6c-ae42-44fe-adf8-150989e0f6d3 which can be used as unique global reference for Operating System Configuration - M1028 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1028 - webarchive

Associated metadata

Metadata key	Value
external_id	M1028

Related clusters

To see the related clusters, click here.

Remote Data Storage - M1029

Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.

Internal MISP references

UUID 20a2baeb-98c2-4901-bad7-dc62d0a03dea which can be used as unique global reference for Remote Data Storage - M1029 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1029 - webarchive

Associated metadata

Metadata key	Value
external_id	M1029

Related clusters

To see the related clusters, click here.

Time Providers Mitigation - T1209

Identify and block potentially malicious software that may be executed as a time provider by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

Consider using Group Policy to configure and block subsequent modifications to W32Time parameters. (Citation: Microsoft W32Time May 2017)

Internal MISP references

UUID a1482e43-f3ff-4fbd-94de-ad1244738166 which can be used as unique global reference for Time Providers Mitigation - T1209 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1209 - webarchive
• https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings - webarchive

Associated metadata

Metadata key	Value
external_id	T1209

Scheduled Transfer Mitigation - T1029

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID 1c0711c8-2a73-48a1-893d-ff88bcd23824 which can be used as unique global reference for Scheduled Transfer Mitigation - T1029 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1029 - webarchive

Associated metadata

Metadata key	Value
external_id	T1029

Limit Software Installation - M1033

Block users or groups from installing unapproved software.

Internal MISP references

UUID 23843cff-f7b9-4659-a7b7-713ef347f547 which can be used as unique global reference for Limit Software Installation - M1033 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1033 - webarchive

Associated metadata

Metadata key	Value
external_id	M1033

Related clusters

To see the related clusters, click here.

Credential Access Protection - M1043

Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.

Internal MISP references

UUID 49c06d54-9002-491d-9147-8efb537fbd26 which can be used as unique global reference for Credential Access Protection - M1043 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1043 - webarchive

Associated metadata

Metadata key	Value
external_id	M1043

Related clusters

To see the related clusters, click here.

Limit Hardware Installation - M1034

Block users or groups from installing or using unapproved hardware on systems, including USB devices.

Internal MISP references

UUID 2995bc22-2851-4345-ad19-4e7e295be264 which can be used as unique global reference for Limit Hardware Installation - M1034 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1034 - webarchive

Associated metadata

Metadata key	Value
external_id	M1034

Related clusters

To see the related clusters, click here.

Path Interception Mitigation - T1034

Eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them (Citation: Microsoft CreateProcess). Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate (Citation: MSDN DLL Security). Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries.

Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations (Citation: Kanthak Sentinel).

Require that all executables be placed in write-protected directories. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution.

Identify and block potentially malicious software that may be executed through the path interception by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies, (Citation: Corio 2008) that are capable of auditing and/or blocking unknown executables.

Internal MISP references

UUID e0703d4f-3972-424a-8277-84004817e024 which can be used as unique global reference for Path Interception Mitigation - T1034 in MISP communities and other software using the MISP galaxy

External references

• http://msdn.microsoft.com/en-us/library/ms682425 - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1034 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://msdn.microsoft.com/en-us/library/ff919712.aspx - webarchive
• https://skanthak.homepage.t-online.de/sentinel.html - webarchive

Associated metadata

Metadata key	Value
external_id	T1034

Service Execution Mitigation - T1035

Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level. Also ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.

Identify unnecessary system utilities or potentially malicious software that may be used to interact with Windows services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID d5dce4b9-f1fa-4c03-aff9-ce177246cb64 which can be used as unique global reference for Service Execution Mitigation - T1035 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1035 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1035

Scheduled Task Mitigation - T1053

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. (Citation: Powersploit)

Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. (Citation: TechNet Server Operator Scheduled Task)

Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. (Citation: TechNet Scheduling Priority)

Identify and block unnecessary system utilities or potentially malicious software that may be used to schedule tasks using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID f2cb6ce2-188d-4162-8feb-594f949b13dd which can be used as unique global reference for Scheduled Task Mitigation - T1053 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1053 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://github.com/mattifestation/PowerSploit - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
• https://technet.microsoft.com/library/dn221960.aspx - webarchive
• https://technet.microsoft.com/library/jj852168.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1053

Account Use Policies - M1036

Configure features related to account use like login attempt lockouts, specific login times, etc.

Internal MISP references

UUID f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c which can be used as unique global reference for Account Use Policies - M1036 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1036 - webarchive

Associated metadata

Metadata key	Value
external_id	M1036

Related clusters

To see the related clusters, click here.

Filter Network Traffic - M1037

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

Internal MISP references

UUID 20f6a9df-37c4-4e20-9e47-025983b1b39d which can be used as unique global reference for Filter Network Traffic - M1037 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1037 - webarchive

Associated metadata

Metadata key	Value
external_id	M1037

Related clusters

To see the related clusters, click here.

Logon Scripts Mitigation - T1037

Restrict write access to logon scripts to specific administrators. Prevent access to administrator accounts by mitigating Credential Access techniques and limiting account access and permissions of Valid Accounts.

Identify and block potentially malicious software that may be executed through logon script modification by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.

Internal MISP references

UUID 9ab7de33-99b2-4d8d-8cf3-182fa0015cc2 which can be used as unique global reference for Logon Scripts Mitigation - T1037 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1037 - webarchive

Associated metadata

Metadata key	Value
external_id	T1037

Environment Variable Permissions - M1039

Prevent modification of environment variables by unauthorized users and groups.

Internal MISP references

UUID 609191bf-7d06-40e4-b1f8-9e11eb3ff8a6 which can be used as unique global reference for Environment Variable Permissions - M1039 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1039 - webarchive

Associated metadata

Metadata key	Value
external_id	M1039

Related clusters

To see the related clusters, click here.

Process Hollowing Mitigation - T1093

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Although process hollowing may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 7c39ebbf-244e-4d1c-b0ac-b282453ece43 which can be used as unique global reference for Process Hollowing Mitigation - T1093 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1093 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1093

Restrict Library Loading - M1044

Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.

Internal MISP references

UUID e8242a33-481c-4891-af63-4cf3e4cf6aff which can be used as unique global reference for Restrict Library Loading - M1044 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1044 - webarchive

Associated metadata

Metadata key	Value
external_id	M1044

Related clusters

To see the related clusters, click here.

Indicator Blocking Mitigation - T1054

Ensure event tracers/forwarders (Citation: Microsoft ETW May 2018), firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls. Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.

Internal MISP references

UUID ec42d8be-f762-4127-80f4-f079ea6d7135 which can be used as unique global reference for Indicator Blocking Mitigation - T1054 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1054 - webarchive
• https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal - webarchive

Associated metadata

Metadata key	Value
external_id	T1054

Software Packing Mitigation - T1045

Ensure updated virus definitions. Create custom signatures for observed malware. Employ heuristic-based malware detection.

Identify and prevent execution of potentially malicious software that may have been packed by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID c95c8b5c-b431-43c9-9557-f494805e2502 which can be used as unique global reference for Software Packing Mitigation - T1045 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1045 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1045

Data Staged Mitigation - T1074

Identify system utilities, remote access or third-party tools, users or potentially malicious software that may be used to store compressed or encrypted data in a publicly writeable directory, central location, or commonly used staging directories (e.g. recycle bin) that is indicative of non-standard behavior, and audit and/or block them by using file integrity monitoring tools where appropriate. Consider applying data size limits or blocking file writes of common compression and encryption utilities such as 7zip, RAR, ZIP, or zlib on frequently used staging directories or central locations and monitor attempted violations of those restrictions.

Internal MISP references

UUID 4320b080-9ae9-4541-9b8b-bcd0961dbbbd which can be used as unique global reference for Data Staged Mitigation - T1074 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1074 - webarchive

Associated metadata

Metadata key	Value
external_id	T1074

Environmental Keying Mitigation - T1480

This technique likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

Internal MISP references

UUID c61e2da1-f51f-424c-b152-dc930d4f2e70 which can be used as unique global reference for Environmental Keying Mitigation - T1480 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1480 - webarchive

Associated metadata

Metadata key	Value
external_id	T1480

Do Not Mitigate - M1055

This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.

Internal MISP references

UUID 787fb64d-c87b-4ee5-a341-0ef17ec4c15c which can be used as unique global reference for Do Not Mitigate - M1055 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1055 - webarchive

Associated metadata

Metadata key	Value
external_id	M1055

Related clusters

To see the related clusters, click here.

Data Loss Prevention - M1057

Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)

Internal MISP references

UUID 65401701-019d-44ff-b223-08d520bb0e7b which can be used as unique global reference for Data Loss Prevention - M1057 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1057 - webarchive
• https://purplesec.us/data-loss-prevention/ - webarchive

Associated metadata

Metadata key	Value
external_id	M1057

Related clusters

To see the related clusters, click here.

Process Discovery Mitigation - T1057

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID f6469191-1814-4dbe-a081-2a6daf83a10b which can be used as unique global reference for Process Discovery Mitigation - T1057 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1057 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1057

Do Not Mitigate - M1059

This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.

Internal MISP references

UUID 76a32151-5233-465f-a607-7e576c62c932 which can be used as unique global reference for Do Not Mitigate - M1059 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1059 - webarchive

Associated metadata

Metadata key	Value
external_id	M1059

Related clusters

To see the related clusters, click here.

Account Discovery Mitigation - T1087

Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. (Citation: UCF STIG Elevation Account Enumeration)

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 5c49bc54-9929-48ca-b581-7018219b5a97 which can be used as unique global reference for Account Discovery Mitigation - T1087 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1087 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
• https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077 - webarchive

Associated metadata

Metadata key	Value
external_id	T1087

Valid Accounts Mitigation - T1078

Take measures to detect or prevent techniques such as OS Credential Dumping or installation of keyloggers to acquire credentials through Input Capture. Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems.

Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)

Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized.

Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: US-CERT Alert TA13-175A Risks of Default Passwords on the Internet) When possible, applications that use SSH keys should be updated periodically and properly secured.

Internal MISP references

UUID d45f03a8-790a-4f90-b956-cd7e5b8886bf which can be used as unique global reference for Valid Accounts Mitigation - T1078 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1078 - webarchive
• https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach - webarchive
• https://technet.microsoft.com/en-us/library/dn487450.aspx - webarchive
• https://technet.microsoft.com/en-us/library/dn535501.aspx - webarchive
• https://www.us-cert.gov/ncas/alerts/TA13-175A - webarchive

Associated metadata

Metadata key	Value
external_id	T1078

Multilayer Encryption Mitigation - T1079

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often. (Citation: University of Birmingham C2)

Internal MISP references

UUID 24478001-2eb3-4b06-a02e-96b3d61d27ec which can be used as unique global reference for Multilayer Encryption Mitigation - T1079 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1079 - webarchive

Associated metadata

Metadata key	Value
external_id	T1079

Modify Registry Mitigation - T1112

Misconfiguration of permissions in the Registry may lead to opportunities for an adversary to execute code, like through Service Registry Permissions Weakness. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Identify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID ed202147-4026-4330-b5bd-1e8dfa8cf7cc which can be used as unique global reference for Modify Registry Mitigation - T1112 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1112 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1112

Authentication Package Mitigation - T1131

Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL, which requires all DLLs loaded by LSA to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)

Internal MISP references

UUID 943d370b-2054-44df-8be2-ab4139bde1c5 which can be used as unique global reference for Authentication Package Mitigation - T1131 in MISP communities and other software using the MISP galaxy

External references

• http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html - webarchive
• https://attack.mitre.org/mitigations/T1131 - webarchive
• https://technet.microsoft.com/en-us/library/dn408187.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1131

Screen Capture Mitigation - T1113

Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 51b37302-b844-4c08-ac98-ae6955ed1f55 which can be used as unique global reference for Screen Capture Mitigation - T1113 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1113 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1113

Email Collection Mitigation - T1114

Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.

Use of two-factor authentication for public-facing webmail servers is also a recommended best practice to minimize the usefulness of user names and passwords to adversaries.

Identify unnecessary system utilities or potentially malicious software that may be used to collect email data files or access the corporate email server, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 383caaa3-c46a-4f61-b2e3-653eb132f0e7 which can be used as unique global reference for Email Collection Mitigation - T1114 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1114 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1114

Input Prompt Mitigation - T1141

This technique exploits users' tendencies to always supply credentials when prompted, which makes it very difficult to mitigate. Use user training as a way to bring awareness and raise suspicion for potentially malicious events (ex: Office documents prompting for credentials).

Internal MISP references

UUID 8a61f6b9-6b7a-4cf2-8e08-f1e26434f6df which can be used as unique global reference for Input Prompt Mitigation - T1141 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1141 - webarchive

Associated metadata

Metadata key	Value
external_id	T1141

Clipboard Data Mitigation - T1115

Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 19edfa02-1a5f-47e4-ad82-3288f57f64cf which can be used as unique global reference for Clipboard Data Mitigation - T1115 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1115 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1115

LC_LOAD_DYLIB Addition Mitigation - T1161

Enforce that all binaries be signed by the correct Apple Developer IDs, and whitelist applications via known hashes. Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn’t included as part of an update, it should be investigated.

Internal MISP references

UUID 77fd4d73-6b79-4593-82e7-e4a439cc7604 which can be used as unique global reference for LC_LOAD_DYLIB Addition Mitigation - T1161 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1161 - webarchive

Associated metadata

Metadata key	Value
external_id	T1161

Code Signing Mitigation - T1116

Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system. (Citation: NSA MS AppLocker) (Citation: TechNet Trusted Publishers) (Citation: Securelist Digital Certificates)

Internal MISP references

UUID 82fbc58b-171d-4a2d-9a20-c6b2a716bd08 which can be used as unique global reference for Code Signing Mitigation - T1116 in MISP communities and other software using the MISP galaxy

External references

• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1116 - webarchive
• https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/ - webarchive
• https://technet.microsoft.com/en-us/library/cc733026.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1116

Automated Collection Mitigation - T1119

Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. A keylogger installed on a system may be able to intercept passwords through Input Capture and be used to decrypt protected documents that an adversary may have collected. Strong passwords should be used to prevent offline cracking of encrypted documents through Brute Force techniques.

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to collect files and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 8bd1ae32-a686-48f4-a6f8-470287f76152 which can be used as unique global reference for Automated Collection Mitigation - T1119 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1119 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1119

Template Injection Mitigation - T1221

Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents (Citation: Microsoft Disable Macros), though this setting may not mitigate the Forced Authentication use for this technique.

Because this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations including training users to identify social engineering techniques and spearphishing emails. Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads. (Citation: Anomali Template Injection MAR 2018)

Internal MISP references

UUID c7e49501-6021-414f-bfa1-94519d8ec314 which can be used as unique global reference for Template Injection Mitigation - T1221 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1221 - webarchive
• https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104 - webarchive
• https://support.office.com/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6 - webarchive

Associated metadata

Metadata key	Value
external_id	T1221

Audio Capture Mitigation - T1123

Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.

Identify and block potentially malicious software that may be used to record audio by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d which can be used as unique global reference for Audio Capture Mitigation - T1123 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1123 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1123

Data Encoding Mitigation - T1132

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

Internal MISP references

UUID fcbe8424-eb3e-4794-b76d-e743f5a49b8b which can be used as unique global reference for Data Encoding Mitigation - T1132 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - webarchive
• https://attack.mitre.org/mitigations/T1132 - webarchive

Associated metadata

Metadata key	Value
external_id	T1132

Video Capture Mitigation - T1125

Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.

Identify and block potentially malicious software that may be used to capture video and images by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d which can be used as unique global reference for Video Capture Mitigation - T1125 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1125 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1125

Login Item Mitigation - T1162

Restrict users from being able to create their own login items. Additionally, holding the shift key during login prevents apps from opening automatically (Citation: Re-Open windows on Mac).

Internal MISP references

UUID 06824aa2-94a5-474c-97f6-57c2e983d885 which can be used as unique global reference for Login Item Mitigation - T1162 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1162 - webarchive
• https://support.apple.com/en-us/HT204005 - webarchive

Associated metadata

Metadata key	Value
external_id	T1162

Domain Fronting Mitigation - T1172

If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be Domain Fronting.

In order to use domain fronting, attackers will likely need to deploy additional tools to compromised systems. (Citation: FireEye APT29 Domain Fronting With TOR March 2017) (Citation: Mandiant No Easy Breach) It may be possible to detect or prevent the installation of these tools with Host-based solutions.

Internal MISP references

UUID 62ae52c9-7197-4f5b-be1d-10d2e1df2c96 which can be used as unique global reference for Domain Fronting Mitigation - T1172 in MISP communities and other software using the MISP galaxy

External references

• http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016 - webarchive
• https://attack.mitre.org/mitigations/T1172 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html - webarchive

Associated metadata

Metadata key	Value
external_id	T1172

AppCert DLLs Mitigation - T1182

Identify and block potentially malicious software that may be executed through AppCert DLLs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

Internal MISP references

UUID 95c29444-49f9-49f7-8b20-bcd68d8fcaa6 which can be used as unique global reference for AppCert DLLs Mitigation - T1182 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1182 - webarchive

Associated metadata

Metadata key	Value
external_id	T1182

Spearphishing Link Mitigation - T1192

Because this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. Other mitigations can take place as User Execution occurs.

Internal MISP references

UUID ad7f983d-d5a8-4fce-a38c-b68eda61bf4e which can be used as unique global reference for Spearphishing Link Mitigation - T1192 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1192 - webarchive

Associated metadata

Metadata key	Value
external_id	T1192

Hidden Window Mitigation - T1143

Whitelist programs that are allowed to have this plist tag. All other programs should be considered suspicious.

Internal MISP references

UUID fae44eea-caa7-42b7-a2e2-0c815ba81b9a which can be used as unique global reference for Hidden Window Mitigation - T1143 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1143 - webarchive

Associated metadata

Metadata key	Value
external_id	T1143

Create Account Mitigation - T1136

Use and enforce multifactor authentication. Follow guidelines to prevent or limit adversary access to Valid Accounts that may be used to create privileged accounts within an environment.

Adversaries that create local accounts on systems may have limited access within a network if access levels are properly locked down. These accounts may only be needed for persistence on individual systems and their usefulness depends on the utility of the system they reside on.

Protect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Internal MISP references

UUID 9a5b7194-88e0-4579-b82f-e3c27b8cca80 which can be used as unique global reference for Create Account Mitigation - T1136 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1136 - webarchive

Associated metadata

Metadata key	Value
external_id	T1136

Application Shimming Mitigation - T1138

There currently aren't a lot of ways to mitigate application shimming. Disabling the Shim Engine isn't recommended because Windows depends on shimming for interoperability and software may become unstable or not work. Microsoft released an optional patch update - KB3045645 - that will remove the "auto-elevate" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC.

Changing UAC settings to "Always Notify" will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions.

Internal MISP references

UUID cfc2d2fc-14ff-495f-bd99-585be47b804f which can be used as unique global reference for Application Shimming Mitigation - T1138 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1138 - webarchive

Associated metadata

Metadata key	Value
external_id	T1138

Spearphishing Attachment Mitigation - T1193

Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.

Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments in Obfuscated Files or Information.

Because this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails. To prevent the attachments from executing, application whitelisting can be used. Anti-virus can also automatically quarantine suspicious files.

Internal MISP references

UUID 8f6b5ca6-263a-4ea9-98f3-afd2a3cd8119 which can be used as unique global reference for Spearphishing Attachment Mitigation - T1193 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1193 - webarchive

Associated metadata

Metadata key	Value
external_id	T1193

Bash History Mitigation - T1139

There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands: set +o history and set -o history to start logging again; unset HISTFILE being added to a user's .bash_rc file; and ln -s /dev/null ~/.bash_history to write commands to /dev/nullinstead.

Internal MISP references

UUID ace4daee-f914-4707-be75-843f16da2edf which can be used as unique global reference for Bash History Mitigation - T1139 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1139 - webarchive

Associated metadata

Metadata key	Value
external_id	T1139

Gatekeeper Bypass Mitigation - T1144

Other tools should be used to supplement Gatekeeper's functionality. Additionally, system settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues.

Internal MISP references

UUID 1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158 which can be used as unique global reference for Gatekeeper Bypass Mitigation - T1144 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1144 - webarchive

Associated metadata

Metadata key	Value
external_id	T1144

Private Keys Mitigation - T1145

Use strong passphrases for private keys to make cracking difficult. When possible, store keys on separate cryptographic hardware instead of on the local system. Ensure only authorized keys are allowed access to critical resources and audit access lists regularly. Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Use separate infrastructure for managing critical systems to prevent overlap of credentials and permissions on systems that could be used as vectors for lateral movement. Follow other best practices for mitigating access through use of Valid Accounts.

Internal MISP references

UUID f27ef4f2-71fe-48b6-b7f4-02dcac14320e which can be used as unique global reference for Private Keys Mitigation - T1145 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1145 - webarchive

Associated metadata

Metadata key	Value
external_id	T1145

Hidden Users Mitigation - T1147

If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the /Library/Preferences/com.apple.loginwindow Hide500Users value will force all users to be visible.

Internal MISP references

UUID 12cba7de-0a22-4a56-b51e-c514c67c3b43 which can be used as unique global reference for Hidden Users Mitigation - T1147 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1147 - webarchive

Associated metadata

Metadata key	Value
external_id	T1147

SSH Hijacking Mitigation - T1184

Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected. Ensure that all private keys are stored securely in locations where only the legitimate owner has access to with strong passwords and are rotated frequently. Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities. Do not allow remote access via SSH as root or other privileged accounts. Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. (Citation: Symantec SSH and ssh-agent)

Internal MISP references

UUID 41cff8e9-fd05-408e-b3d5-d98c54c20bcf which can be used as unique global reference for SSH Hijacking Mitigation - T1184 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1184 - webarchive
• https://www.symantec.com/connect/articles/ssh-and-ssh-agent - webarchive

Associated metadata

Metadata key	Value
external_id	T1184

LC_MAIN Hijacking Mitigation - T1149

Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.

Internal MISP references

UUID 6e7db820-9735-4545-bc64-039bc4ce354b which can be used as unique global reference for LC_MAIN Hijacking Mitigation - T1149 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1149 - webarchive

Associated metadata

Metadata key	Value
external_id	T1149

Startup Items Mitigation - T1165

Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems directory would prevent any startup items from getting registered. Similarly, appropriate permissions should be applied such that only specific users can edit the startup items so that they can’t be leveraged for privilege escalation.

Internal MISP references

UUID 94927849-03e3-4a07-8f4c-9ee21b626719 which can be used as unique global reference for Startup Items Mitigation - T1165 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1165 - webarchive

Associated metadata

Metadata key	Value
external_id	T1165

Dylib Hijacking Mitigation - T1157

Prevent users from being able to write files to the search paths for applications, both in the folders where applications are run from and the standard dylib folders. If users can't write to these directories, then they can't intercept the search path.

Internal MISP references

UUID dc43c2fe-355e-4a79-9570-3267b0992784 which can be used as unique global reference for Dylib Hijacking Mitigation - T1157 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1157 - webarchive

Associated metadata

Metadata key	Value
external_id	T1157

Launch Agent Mitigation - T1159

Restrict user's abilities to create Launch Agents with group policy.

Internal MISP references

UUID 121b2863-5b97-4538-acb3-f8aae070ec13 which can be used as unique global reference for Launch Agent Mitigation - T1159 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1159 - webarchive

Associated metadata

Metadata key	Value
external_id	T1159

Browser Extensions Mitigation - T1176

Only install browser extensions from trusted sources that can be verified. Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones.

Browser extensions for some browsers can be controlled through Group Policy. Set a browser extension white or black list as appropriate for your security policy. (Citation: Technospot Chrome Extensions GP)

Change settings to prevent the browser from installing extensions without sufficient permissions.

Close out all browser sessions when finished using them.

Internal MISP references

UUID b52f41b9-ccf6-4da7-a6c0-167eeb71fbd8 which can be used as unique global reference for Browser Extensions Mitigation - T1176 in MISP communities and other software using the MISP galaxy

External references

• http://www.technospot.net/blogs/block-chrome-extensions-using-google-chrome-group-policy-settings/ - webarchive
• https://attack.mitre.org/mitigations/T1176 - webarchive

Associated metadata

Metadata key	Value
external_id	T1176

Process Doppelgänging Mitigation - T1186

This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Although Process Doppelgänging may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 34d6a2ef-370e-4d21-a34b-6208b7c78f31 which can be used as unique global reference for Process Doppelgänging Mitigation - T1186 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://attack.mitre.org/mitigations/T1186 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
• https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive

Associated metadata

Metadata key	Value
external_id	T1186

LSASS Driver Mitigation - T1177

On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to dword:00000001. (Citation: Microsoft LSA Protection Mar 2014) LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.

On Windows 10 and Server 2016, enable Windows Defender Credential Guard (Citation: Microsoft Enable Cred Guard April 2017) to run lsass.exe in an isolated virtualized environment without any device drivers. (Citation: Microsoft Credential Guard April 2017)

Ensure safe DLL search mode is enabled HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode to mitigate risk that lsass.exe loads a malicious code library. (Citation: Microsoft DLL Security)

Internal MISP references

UUID 7a6e5ca3-562f-4185-a323-f3b62b5b2e6b which can be used as unique global reference for LSASS Driver Mitigation - T1177 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1177 - webarchive
• https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-how-it-works - webarchive
• https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage - webarchive
• https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx - webarchive
• https://technet.microsoft.com/library/dn408187.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1177

Forced Authentication Mitigation - T1187

Block SMB traffic from exiting an enterprise network with egress filtering or by blocking TCP ports 139, 445 and UDP port 137. Filter or block WebDAV protocol traffic from exiting the network. If access to external resources over SMB and WebDAV is necessary, then traffic should be tightly limited with whitelisting. (Citation: US-CERT SMB Security) (Citation: US-CERT APT Energy Oct 2017)

For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.

Use strong passwords to increase the difficulty of credential hashes from being cracked if they are obtained.

Internal MISP references

UUID 7009ba4d-83d4-4851-9fbb-e09e28497765 which can be used as unique global reference for Forced Authentication Mitigation - T1187 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1187 - webarchive
• https://www.us-cert.gov/ncas/alerts/TA17-293A - webarchive
• https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices - webarchive

Associated metadata

Metadata key	Value
external_id	T1187

BITS Jobs Mitigation - T1197

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, disabling all BITS functionality will likely have unintended side effects, such as preventing legitimate software patching and updating. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. (Citation: Mondok Windows PiggyBack BITS May 2007)

Modify network and/or host firewall rules, as well as other network controls, to only allow legitimate BITS traffic.

Consider limiting access to the BITS interface to specific users or groups. (Citation: Symantec BITS May 2007)

Consider reducing the default BITS job lifetime in Group Policy or by editing the JobInactivityTimeout and MaxDownloadTime Registry values in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS. (Citation: Microsoft BITS)

Internal MISP references

UUID cb825b86-3f3b-4686-ba99-44878f5d3173 which can be used as unique global reference for BITS Jobs Mitigation - T1197 in MISP communities and other software using the MISP galaxy

External references

• https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/ - webarchive
• https://attack.mitre.org/mitigations/T1197 - webarchive
• https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx - webarchive
• https://www.symantec.com/connect/blogs/malware-update-windows-update - webarchive

Associated metadata

Metadata key	Value
external_id	T1197

Trusted Relationship Mitigation - T1199

Network segmentation can be used to isolate infrastructure components that do not require broad network access. Properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary. Vet the security policies and procedures of organizations that are contracted for work that require privileged access to network resources.

Internal MISP references

UUID 797312d4-8a84-4daf-9c56-57da4133c322 which can be used as unique global reference for Trusted Relationship Mitigation - T1199 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1199 - webarchive

Associated metadata

Metadata key	Value
external_id	T1199

Firmware Corruption Mitigation - T1495

Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification. Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities.

Internal MISP references

UUID 70886857-0f19-4caa-b081-548354a8a994 which can be used as unique global reference for Firmware Corruption Mitigation - T1495 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1495 - webarchive

Associated metadata

Metadata key	Value
external_id	T1495

Resource Hijacking Mitigation - T1496

Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 46acc565-11aa-40ba-b629-33ba0ab9b07b which can be used as unique global reference for Resource Hijacking Mitigation - T1496 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1496 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1496

Data Destruction Mitigation - T1488

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 0b3ee33e-430b-476f-9525-72d120c90f8d which can be used as unique global reference for Data Destruction Mitigation - T1488 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1488 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive
• https://www.ready.gov/business/implementation/IT - webarchive

Associated metadata

Metadata key	Value
external_id	T1488

Service Stop Mitigation - T1489

Ensure proper process, registry, and file permissions are in place to inhibit adversaries from disabling or interfering with critical services. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Harden systems used to serve critical network, business, and communications functions. Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.

Internal MISP references

UUID 417fed8c-bd76-48b5-90a2-a88882a95241 which can be used as unique global reference for Service Stop Mitigation - T1489 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1489 - webarchive

Associated metadata

Metadata key	Value
external_id	T1489

Multi-factor Authentication - M1032

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

Internal MISP references

UUID b045d015-6bed-4490-bd38-56b41ece59a0 which can be used as unique global reference for Multi-factor Authentication - M1032 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1032 - webarchive

Associated metadata

Metadata key	Value
external_id	M1032

Related clusters

To see the related clusters, click here.

Rc.common Mitigation - T1163

Limit privileges of user accounts so only authorized users can edit the rc.common file.

Internal MISP references

UUID c3cf2312-3aab-4aaf-86e6-ab3505430482 which can be used as unique global reference for Rc.common Mitigation - T1163 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1163 - webarchive

Associated metadata

Metadata key	Value
external_id	T1163

SSL/TLS Inspection - M1020

Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.

Internal MISP references

UUID 7bb5fae9-53ad-4424-866b-f0ea2a8b731d which can be used as unique global reference for SSL/TLS Inspection - M1020 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1020 - webarchive

Associated metadata

Metadata key	Value
external_id	M1020

Related clusters

To see the related clusters, click here.

Regsvcs/Regasm Mitigation - T1121

Regsvcs and Regasm may not be necessary within a given environment. Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.

Internal MISP references

UUID a90da496-b460-47e8-92e7-cc36eb00bd9a which can be used as unique global reference for Regsvcs/Regasm Mitigation - T1121 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1121 - webarchive

Associated metadata

Metadata key	Value
external_id	T1121

Security Updates - M1001

Install security updates in response to discovered vulnerabilities.

Purchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.

Decommission devices that will no longer receive security updates.

Limit or block access to enterprise resources from devices that have not installed recent security updates.

On Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.

Internal MISP references

UUID bcecd036-f40e-4916-9f8e-fd0ccf0ece8d which can be used as unique global reference for Security Updates - M1001 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1001 - webarchive

Associated metadata

Metadata key	Value
external_id	M1001

Related clusters

To see the related clusters, click here.

Lock Bootloader - M1003

On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.

Internal MISP references

UUID 8ccd428d-39da-4e8f-a55b-d48ea1d56e58 which can be used as unique global reference for Lock Bootloader - M1003 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1003 - webarchive

Associated metadata

Metadata key	Value
external_id	M1003

Related clusters

To see the related clusters, click here.

Network Segmentation - M1030

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.

Internal MISP references

UUID 86598de0-b347-4928-9eb0-0acbfc21908c which can be used as unique global reference for Network Segmentation - M1030 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1030 - webarchive

Associated metadata

Metadata key	Value
external_id	M1030

Related clusters

To see the related clusters, click here.

Application Vetting - M1005

Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.

Enterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.

Application Vetting is not a complete mitigation. Techniques such as Evade Analysis Environment exist that can enable adversaries to bypass vetting.

Internal MISP references

UUID 1553b156-6767-47f7-9eb4-2a692505666d which can be used as unique global reference for Application Vetting - M1005 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1005 - webarchive

Associated metadata

Metadata key	Value
external_id	M1005

Exploit Protection - M1050

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Internal MISP references

UUID d2a24649-9694-4c97-9c62-ce7b270bf6a3 which can be used as unique global reference for Exploit Protection - M1050 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1050 - webarchive

Associated metadata

Metadata key	Value
external_id	M1050

Related clusters

To see the related clusters, click here.

User Guidance - M1011

Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.

Internal MISP references

UUID 653492e3-27be-4a0e-b08c-938dd2b7e0e1 which can be used as unique global reference for User Guidance - M1011 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1011 - webarchive

Associated metadata

Metadata key	Value
external_id	M1011

Related clusters

To see the related clusters, click here.

Enterprise Policy - M1012

An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.

Internal MISP references

UUID 649f7268-4c12-483b-ac84-4b7bca9fe2ee which can be used as unique global reference for Enterprise Policy - M1012 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1012 - webarchive

Associated metadata

Metadata key	Value
external_id	M1012

Related clusters

To see the related clusters, click here.

Interconnection Filtering - M1014

In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).

Internal MISP references

UUID e829ee51-1caf-4665-ba15-7f8979634124 which can be used as unique global reference for Interconnection Filtering - M1014 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1014 - webarchive
• https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf - webarchive

Associated metadata

Metadata key	Value
external_id	M1014

Related clusters

To see the related clusters, click here.

Rootkit Mitigation - T1014

Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 95ddb356-7ba0-4bd9-a889-247262b8946f which can be used as unique global reference for Rootkit Mitigation - T1014 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1014 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1014

Update Software - M1051

Perform regular software updates to mitigate exploitation risk.

Internal MISP references

UUID e5d930e9-775a-40ad-9bdb-b941d8dfe86b which can be used as unique global reference for Update Software - M1051 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1051 - webarchive

Associated metadata

Metadata key	Value
external_id	M1051

Related clusters

To see the related clusters, click here.

Vulnerability Scanning - M1016

Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.

Internal MISP references

UUID 15437c6d-b998-4a36-be41-4ace3d54d266 which can be used as unique global reference for Vulnerability Scanning - M1016 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1016 - webarchive

Associated metadata

Metadata key	Value
external_id	M1016

Related clusters

To see the related clusters, click here.

Mshta Mitigation - T1170

Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Internal MISP references

UUID d2dce10b-3562-4d61-b2f5-7c6384b038e2 which can be used as unique global reference for Mshta Mitigation - T1170 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1170 - webarchive

Associated metadata

Metadata key	Value
external_id	T1170

User Training - M1017

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Internal MISP references

UUID 2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a which can be used as unique global reference for User Training - M1017 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1017 - webarchive

Associated metadata

Metadata key	Value
external_id	M1017

Related clusters

To see the related clusters, click here.

Screensaver Mitigation - T1180

Block .scr files from being executed from non-standard locations. Set Group Policy to force users to have a dedicated screensaver where local changes should not override the settings to prevent changes. Use Group Policy to disable screensavers if they are unnecessary. (Citation: TechNet Screensaver GP)

Internal MISP references

UUID 9da16278-c6c5-4410-8a6b-9c16ce8005b3 which can be used as unique global reference for Screensaver Mitigation - T1180 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1180 - webarchive
• https://technet.microsoft.com/library/cc938799.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1180

Rundll32 Mitigation - T1085

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass whitelisting. (Citation: Secure Host Baseline EMET)

Internal MISP references

UUID 8c918d8a-11c5-4ffd-af10-e74bc06bdfae which can be used as unique global reference for Rundll32 Mitigation - T1085 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1085 - webarchive
• https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET - webarchive

Associated metadata

Metadata key	Value
external_id	T1085

Hypervisor Mitigation - T1062

Prevent adversary access to privileged accounts necessary to install a hypervisor.

Internal MISP references

UUID 2c3ce852-06a2-40ee-8fe6-086f6402a739 which can be used as unique global reference for Hypervisor Mitigation - T1062 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1062 - webarchive

Associated metadata

Metadata key	Value
external_id	T1062

DCShadow Mitigation - T1207

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of AD design features. For example, mitigating specific AD API calls will likely have unintended side effects, such as preventing DC replication from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.

Internal MISP references

UUID b70627f7-3b43-4c6f-8fc0-c918c41f8f72 which can be used as unique global reference for DCShadow Mitigation - T1207 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1207 - webarchive

Associated metadata

Metadata key	Value
external_id	T1207

Password Policies - M1027

Set and enforce secure password policies for accounts.

Internal MISP references

UUID 90c218c3-fbf8-4830-98a7-e8cfb7eaa485 which can be used as unique global reference for Password Policies - M1027 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1027 - webarchive

Associated metadata

Metadata key	Value
external_id	M1027

Related clusters

To see the related clusters, click here.

Kerberoasting Mitigation - T1208

Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. (Citation: AdSecurity Cracking Kerberos Dec 2015) Also consider using Group Managed Service Accounts or another third party product such as password vaulting. (Citation: AdSecurity Cracking Kerberos Dec 2015)

Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators. (Citation: AdSecurity Cracking Kerberos Dec 2015)

Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. (Citation: AdSecurity Cracking Kerberos Dec 2015)

Internal MISP references

UUID a3e12b04-8598-4909-8855-2c97c1e7d549 which can be used as unique global reference for Kerberoasting Mitigation - T1208 in MISP communities and other software using the MISP galaxy

External references

• https://adsecurity.org/?p=2293 - webarchive
• https://attack.mitre.org/mitigations/T1208 - webarchive

Associated metadata

Metadata key	Value
external_id	T1208

Data Backup - M1053

Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.

Internal MISP references

UUID 3efe43d1-6f3f-4fcb-ab39-4a730971f70b which can be used as unique global reference for Data Backup - M1053 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1053 - webarchive

Associated metadata

Metadata key	Value
external_id	M1053

Related clusters

To see the related clusters, click here.

Masquerading Mitigation - T1036

When creating security rules, avoid exclusions based on file name or file path. Require signed binaries. Use file system access controls to protect folders such as C:\Windows\System32. Use tools that restrict program execution via whitelisting by attributes other than file name.

Identify potentially malicious software that may look like a legitimate program based on name and location, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 45e7f570-6a0b-4095-bf02-4bca05da6bae which can be used as unique global reference for Masquerading Mitigation - T1036 in MISP communities and other software using the MISP galaxy

External references

• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1036 - webarchive
• https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1036

Execution Prevention - M1038

Block execution of code on a system through application control, and/or script blocking.

Internal MISP references

UUID 47e0e9fe-96ce-4f65-8bb1-8be1feacb5db which can be used as unique global reference for Execution Prevention - M1038 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1038 - webarchive

Associated metadata

Metadata key	Value
external_id	M1038

Related clusters

To see the related clusters, click here.

Software Configuration - M1054

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

Internal MISP references

UUID b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067 which can be used as unique global reference for Software Configuration - M1054 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1054 - webarchive

Associated metadata

Metadata key	Value
external_id	M1054

Related clusters

To see the related clusters, click here.

Code Signing - M1045

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Internal MISP references

UUID 590777b3-b475-4c7c-aaf8-f4a73b140312 which can be used as unique global reference for Code Signing - M1045 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1045 - webarchive

Associated metadata

Metadata key	Value
external_id	M1045

Related clusters

To see the related clusters, click here.

Boot Integrity - M1046

Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.

Internal MISP references

UUID 7da0387c-ba92-4553-b291-b636ee42b2eb which can be used as unique global reference for Boot Integrity - M1046 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1046 - webarchive

Associated metadata

Metadata key	Value
external_id	M1046

Related clusters

To see the related clusters, click here.

Scripting Mitigation - T1064

Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.

Configure Office security settings enable Protected View, to execute within a sandbox environment, and to block macros through Group Policy. (Citation: Microsoft Block Office Macros) Other types of virtualization and application microsegmentation may also mitigate the impact of compromise. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Internal MISP references

UUID 57019a80-8523-46b6-be7d-f763a15a2cc6 which can be used as unique global reference for Scripting Mitigation - T1064 in MISP communities and other software using the MISP galaxy

External references

• https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/ - webarchive
• https://attack.mitre.org/mitigations/T1064 - webarchive
• https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/ - webarchive

Associated metadata

Metadata key	Value
external_id	T1064

Bootkit Mitigation - T1067

Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform this action. Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. (Citation: TCG Trusted Platform Module) (Citation: TechNet Secure Boot Process)

Internal MISP references

UUID 96150c35-466f-4f0a-97a9-ae87ee27f751 which can be used as unique global reference for Bootkit Mitigation - T1067 in MISP communities and other software using the MISP galaxy

External references

• http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf - webarchive
• https://attack.mitre.org/mitigations/T1067 - webarchive
• https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process - webarchive

Associated metadata

Metadata key	Value
external_id	T1067

PowerShell Mitigation - T1086

It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. When PowerShell is necessary, restrict PowerShell execution policy to administrators and to only execute signed scripts. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. (Citation: Netspi PowerShell Execution Policy Bypass) Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.

Internal MISP references

UUID d0415180-51e9-40ce-b57c-c332b0b441f2 which can be used as unique global reference for PowerShell Mitigation - T1086 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1086 - webarchive
• https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ - webarchive

Associated metadata

Metadata key	Value
external_id	T1086

Timestomp Mitigation - T1099

Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Internal MISP references

UUID 5c167af7-c2cb-42c8-ae67-3fb275bf8488 which can be used as unique global reference for Timestomp Mitigation - T1099 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html - webarchive
• http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx - webarchive
• http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599 - webarchive
• https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - webarchive
• https://attack.mitre.org/mitigations/T1099 - webarchive
• https://technet.microsoft.com/en-us/library/ee791851.aspx - webarchive

Associated metadata

Metadata key	Value
external_id	T1099

Regsvr32 Mitigation - T1117

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass whitelisting. (Citation: Secure Host Baseline EMET)

Internal MISP references

UUID 12c13879-b7bd-4bc5-8def-aacec386d432 which can be used as unique global reference for Regsvr32 Mitigation - T1117 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1117 - webarchive
• https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET - webarchive

Associated metadata

Metadata key	Value
external_id	T1117

InstallUtil Mitigation - T1118

InstallUtil may not be necessary within a given environment. Use application whitelisting configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Internal MISP references

UUID ec418d1b-4963-439f-b055-f914737ef362 which can be used as unique global reference for InstallUtil Mitigation - T1118 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1118 - webarchive

Associated metadata

Metadata key	Value
external_id	T1118

CMSTP Mitigation - T1191

CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation). Consider using application whitelisting configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries. (Citation: MSitPros CMSTP Aug 2017)

Internal MISP references

UUID 91816292-3686-4a6e-83c4-4c08513b9b57 which can be used as unique global reference for CMSTP Mitigation - T1191 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1191 - webarchive
• https://msitpros.com/?p=3960 - webarchive

Associated metadata

Metadata key	Value
external_id	T1191

Keychain Mitigation - T1142

The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.

Internal MISP references

UUID 56648de3-8947-4559-90c4-eda10acc0f5a which can be used as unique global reference for Keychain Mitigation - T1142 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1142 - webarchive

Associated metadata

Metadata key	Value
external_id	T1142

Launchctl Mitigation - T1152

Prevent users from installing their own launch agents or launch daemons and instead require them to be pushed out by group policy.

Internal MISP references

UUID e333cf16-5bfa-453e-8e6a-3a4c63d6bfcc which can be used as unique global reference for Launchctl Mitigation - T1152 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1152 - webarchive

Associated metadata

Metadata key	Value
external_id	T1152

Source Mitigation - T1153

Due to potential legitimate uses of source commands, it's may be difficult to mitigate use of this technique.

Internal MISP references

UUID 5391ece4-8866-415d-9b5e-8dc5944f612a which can be used as unique global reference for Source Mitigation - T1153 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1153 - webarchive

Associated metadata

Metadata key	Value
external_id	T1153

Trap Mitigation - T1154

Due to potential legitimate uses of trap commands, it's may be difficult to mitigate use of this technique.

Internal MISP references

UUID 809b79cd-be78-4597-88d1-5496d1d9993a which can be used as unique global reference for Trap Mitigation - T1154 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1154 - webarchive

Associated metadata

Metadata key	Value
external_id	T1154

HISTCONTROL Mitigation - T1148

Prevent users from changing the HISTCONTROL environment variable (Citation: Securing bash history). Also, make sure that the HISTCONTROL environment variable is set to “ignoredup” instead of “ignoreboth” or “ignorespace”.

Internal MISP references

UUID 03c0c586-50ed-45a7-95f4-f496d7eb5330 which can be used as unique global reference for HISTCONTROL Mitigation - T1148 in MISP communities and other software using the MISP galaxy

External references

• http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory - webarchive
• https://attack.mitre.org/mitigations/T1148 - webarchive

Associated metadata

Metadata key	Value
external_id	T1148

Defacement Mitigation - T1491

Implementing best practices for websites such as defending against Exploit Public-Facing Application (Citation: OWASP Top 10 2017). Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. (Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

Internal MISP references

UUID 5d8507c4-603e-4fe1-8a4a-b8241f58734b which can be used as unique global reference for Defacement Mitigation - T1491 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1491 - webarchive
• https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/ - webarchive

Associated metadata

Metadata key	Value
external_id	T1491

AppleScript Mitigation - T1155

Require that all AppleScript be signed by a trusted developer ID before being executed - this will prevent random AppleScript code from executing (Citation: applescript signing). This subjects AppleScript code to the same scrutiny as other .app files passing through Gatekeeper.

Internal MISP references

UUID 1e4ef2c7-ee96-4484-9baa-3b5777561301 which can be used as unique global reference for AppleScript Mitigation - T1155 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1155 - webarchive
• https://www.engadget.com/2013/10/23/applescript-and-automator-gain-new-features-in-os-x-mavericks/ - webarchive

Associated metadata

Metadata key	Value
external_id	T1155

Sudo Mitigation - T1169

The sudoers file should be strictly edited such that passwords are always required and that users can’t spawn risky processes as users with higher privilege. By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file.

Internal MISP references

UUID 23bff3ce-021c-4e7a-9aee-60fd40bc7c6c which can be used as unique global reference for Sudo Mitigation - T1169 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1169 - webarchive

Associated metadata

Metadata key	Value
external_id	T1169

Hooking Mitigation - T1179

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all hooking will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Internal MISP references

UUID 7aee8ea0-0baa-4232-b379-5d9ce98352cf which can be used as unique global reference for Hooking Mitigation - T1179 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/T1179 - webarchive

Associated metadata

Metadata key	Value
external_id	T1179

Pre-compromise - M1056

This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.

Internal MISP references

UUID 78bb71be-92b4-46de-acd6-5f998fedf1cc which can be used as unique global reference for Pre-compromise - M1056 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1056 - webarchive

Associated metadata

Metadata key	Value
external_id	M1056

Related clusters

To see the related clusters, click here.

Antivirus/Antimalware - M1049

Use signatures or heuristics to detect malicious software.

Internal MISP references

UUID a6a47a06-08fc-4ec4-bdc3-20373375ebb9 which can be used as unique global reference for Antivirus/Antimalware - M1049 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1049 - webarchive

Associated metadata

Metadata key	Value
external_id	M1049

Related clusters

To see the related clusters, click here.

Antivirus/Antimalware - M1058

Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.

Internal MISP references

UUID 78671282-26aa-486c-a7a5-5921e1616b58 which can be used as unique global reference for Antivirus/Antimalware - M1058 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1058 - webarchive

Associated metadata

Metadata key	Value
external_id	M1058

Related clusters

To see the related clusters, click here.

Attestation - M1002

Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.

Internal MISP references

UUID ff4821f6-5afb-481b-8c0f-26c28c0d666c which can be used as unique global reference for Attestation - M1002 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1002 - webarchive

Associated metadata

Metadata key	Value
external_id	M1002

Related clusters

To see the related clusters, click here.

Audit - M1047

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Internal MISP references

UUID cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8 which can be used as unique global reference for Audit - M1047 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/mitigations/M1047 - webarchive

Associated metadata

Metadata key	Value
external_id	M1047

Related clusters

To see the related clusters, click here.