The sub-techniques beta is now live! Read the release blog post for more info.

Execution Prevention

Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.

ID: M1038
Version: 1.0
Created: 11 June 2019
Last Modified: 11 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1015 Accessibility Features

Adversaries can replace accessibility features binaries with alternate binaries to execute this technique. Identify and block potentially malicious software executed through accessibility features functionality by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.[2][3][4][5][6][7]

Enterprise T1182 AppCert DLLs

Adversaries install new AppCertDLL binaries to execute this technique. Identify and block potentially malicious software executed through AppCertDLLs functionality by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.

Enterprise T1103 AppInit DLLs

Adversaries can install new AppInit_DLLs binaries to execute this technique. Identify and block potentially malicious software executed through AppInit_DLLs functionality by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.

Enterprise T1176 Browser Extensions

Set a browser extension white or black list as appropriate for your security policy.[1]

Enterprise T1191 CMSTP

Consider using application whitelisting configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Enterprise T1059 Command-Line Interface

Audit and/or block unnecessary command-line interpreters by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.[2][3][4][5][6][7]

Enterprise T1223 Compiled HTML File

Consider using application whitelisting to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Enterprise T1196 Control Panel Items

Identify and block potentially malicious and unknown .cpl files by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.

Enterprise T1038 DLL Search Order Hijacking

Adversaries may use new DLLs to execute this technique. Identify and block potentially malicious software executed through search order hijacking by using application whitelisting solutions capable of blocking DLLs loaded by legitimate software.

Enterprise T1172 Domain Fronting

In order to use domain fronting, adversaries may need to deploy additional tools to compromised systems. It is possible to prevent the installation of these tools with application whitelisting.

Enterprise T1514 Elevated Execution with Prompt

System settings can prevent applications from running that haven't been downloaded through the Apple Store which may help mitigate some of these issues. Not allowing unsigned applications from being run may also mitigate some risk.

Enterprise T1106 Execution through API

Identify and block potentially malicious software executed that may be executed through this technique by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.[2][3][4][5][6][7]

Enterprise T1129 Execution through Module Load

Identify and block potentially malicious software executed through this technique by using application whitelisting tools capable of preventing unknown DLLs from being loaded.

Enterprise T1144 Gatekeeper Bypass

System settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues.

Enterprise T1143 Hidden Window

Limit or restrict program execution using anti-virus software. On MacOS, whitelist programs that are allowed to have the plist tag. All other programs should be considered suspicious.

Enterprise T1118 InstallUtil

Use application whitelisting configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Enterprise T1215 Kernel Modules and Extensions

Application whitelisting and software restriction tools, such as SELinux, can also aide in restricting kernel module loading.[12]

Enterprise T1161 LC_LOAD_DYLIB Addition

Whitelist applications via known hashes.

Enterprise T1036 Masquerading

Use tools that restrict program execution via whitelisting by attributes other than file name for common operating system utilities that are needed.

Enterprise T1170 Mshta

Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Enterprise T1034 Path Interception

Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.[2][3][4][5][6][7]

Enterprise T1121 Regsvcs/Regasm

Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.

Enterprise T1219 Remote Access Tools

Use application whitelisting to mitigate installation and use of unapproved software that can be used for remote access.

Enterprise T1180 Screensaver

Block .scr files from being executed from non-standard locations.

Enterprise T1218 Signed Binary Proxy Execution

Certain signed binaries that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these binaries if they are not required for a given system or network to prevent potential misuse by adversaries.

Enterprise T1216 Signed Script Proxy Execution

Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.

Enterprise T1198 SIP and Trust Provider Hijacking

Enable whitelisting solutions such as AppLocker and/or Device Guard to block the loading of malicious SIP DLLs.

Enterprise T1080 Taint Shared Content

Identify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using whitelisting tools, like AppLocker, or Software Restriction Policies where appropriate.

Enterprise T1127 Trusted Developer Utilities

Use application whitelisting configured to block execution of MSBuild.exe, dnx.exe, rcsi.exe, WinDbg.exe, and cdb.exe if they are not required for a given system or network to prevent potential misuse by adversaries.[8][9][10][11]

Enterprise T1204 User Execution

Application whitelisting may be able to prevent the running of executables masquerading as other files.

Enterprise T1004 Winlogon Helper DLL

Identify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting tools like AppLocker that are capable of auditing and/or blocking unknown DLLs.[2][4][5]

Enterprise T1220 XSL Script Processing

If msxsl.exe is unnecessary, then block its execution to prevent abuse by adversaries.

References