Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Techniques Addressed by Mitigation
CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation).
|Enterprise||T1092||Communication Through Removable Media||
Disable Autoruns if it is unnecessary.
|Enterprise||T1175||Component Object Model and Distributed COM||
Consider disabling DCOM through Dcomcnfg.exe.
|Enterprise||T1173||Dynamic Data Exchange||
Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.
Consider disabling emond by removing the Launch Daemon plist file.
|Enterprise||T1052||Exfiltration Over Physical Medium|
|Enterprise||T1210||Exploitation of Remote Services||
Minimize available services to only those that are necessary.
|Enterprise||T1133||External Remote Services||
Disable or block remotely available services that may be unnecessary.
InstallUtil may not be necessary within a given environment.
|Enterprise||T1171||LLMNR/NBT-NS Poisoning and Relay||
Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment.
Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life.
|Enterprise||T1046||Network Service Scanning||
Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.
|Enterprise||T1137||Office Application Startup||
Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing.
Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing.
It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions.
Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.
This feature can be disabled entirely with the following terminal command:
Regsvcs and Regasm may not be necessary within a given environment.
|Enterprise||T1076||Remote Desktop Protocol||
Disable the RDP service if it is unnecessary.
|Enterprise||T1091||Replication Through Removable Media|
Use Group Policy to disable screensavers if they are unnecessary.
Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.
Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse.
Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents, though this setting may not mitigate the Forced Authentication use for this technique.
|Enterprise||T1127||Trusted Developer Utilities||
MSBuild.exe, dnx.exe, rcsi.exe, WinDbg.exe, cdb.exe, and tracker.exe may not be necessary within a given environment and should be removed if not used.
|Enterprise||T1028||Windows Remote Management||
Disable the WinRM service.
- Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016.
- Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.
- Hatch, B. (2004, November 22). SSH and ssh-agent. Retrieved January 8, 2018.
- Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.
- Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.
- Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.
- Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018.
- Microsoft. (n.d.). Customizing the Desktop. Retrieved December 5, 2017.
- Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved July 3, 2017.
- Microsoft. (n.d.). Enable or disable macros in Office files. Retrieved September 13, 2018.