MITIGATIONS

Account Use Policies

Active Directory Configuration

Antivirus/Antimalware

Application Developer Guidance

Application Isolation and Sandboxing

Behavior Prevention on Endpoint

Credential Access Protection

Disable or Remove Feature or Program

Do Not Mitigate

Encrypt Sensitive Information

Environment Variable Permissions

Execution Prevention

Exploit Protection

Filter Network Traffic

Limit Access to Resource Over Network

Limit Hardware Installation

Limit Software Installation

Multi-factor Authentication

Network Intrusion Prevention

Network Segmentation

Operating System Configuration

Password Policies

Privileged Account Management

Privileged Process Integrity

Remote Data Storage

Restrict File and Directory Permissions

Restrict Library Loading

Restrict Registry Permissions

Restrict Web-Based Content

Software Configuration

SSL/TLS Inspection

Threat Intelligence Program

Update Software

User Account Control

User Account Management

Vulnerability Scanning

Application Developer Guidance

Application Vetting

Caution with Device Administrator Access

Deploy Compromised Device Detection Method

Encrypt Network Traffic

Enterprise Policy

Interconnection Filtering

Lock Bootloader

Security Updates

System Partition Integrity

Use Recent OS Version

MITIGATIONS

A-C

Account Use Policies

Active Directory Configuration

Antivirus/Antimalware

Application Developer Guidance

Application Isolation and Sandboxing

Behavior Prevention on Endpoint

Credential Access Protection

D-F

Disable or Remove Feature or Program

Do Not Mitigate

Encrypt Sensitive Information

Environment Variable Permissions

Execution Prevention

Exploit Protection

Filter Network Traffic

G-I

No mitigations

J-L

Limit Access to Resource Over Network

Limit Hardware Installation

Limit Software Installation

M-O

Multi-factor Authentication

Network Intrusion Prevention

Network Segmentation

Operating System Configuration

P-R

Password Policies

Privileged Account Management

Privileged Process Integrity

Remote Data Storage

Restrict File and Directory Permissions

Restrict Library Loading

Restrict Registry Permissions

Restrict Web-Based Content

S-U

Software Configuration

SSL/TLS Inspection

Threat Intelligence Program

Update Software

User Account Control

User Account Management

V-X

Vulnerability Scanning

Y-Z

No mitigations

A-C

Application Developer Guidance

Application Vetting

Caution with Device Administrator Access

D-F

Deploy Compromised Device Detection Method

Encrypt Network Traffic

Enterprise Policy

G-I

Interconnection Filtering

J-L

Lock Bootloader

M-O

No mitigations

P-R

No mitigations

S-U

Security Updates

System Partition Integrity

Use Recent OS Version

V-X

No mitigations

Y-Z

No mitigations

Lock Bootloader

On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.

ID: M1003

Version: 1.0

Created: 25 October 2017

Last Modified: 17 October 2018

Version Permalink

Live Version

Techniques Addressed by Mitigation

Domain	ID		Name	Use
Mobile	T1458		Exploit via Charging Station or PC
Mobile	T1398		Modify OS Kernel or Boot Partition
Mobile	T1400		Modify System Partition