Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1098 | .002 | Account Manipulation: Additional Email Delegate Permissions |
If email delegation is not required, disable it. In Google Workspace this can be accomplished through the Google Admin console.[1] |
.004 | Account Manipulation: SSH Authorized Keys |
Disable SSH if it is not necessary on a host or restrict SSH access for specific users/groups using |
||
Enterprise | T1595 | .003 | Active Scanning: Wordlist Scanning |
Remove or disable access to any systems, resources, and infrastructure that are not explicitly required to be available externally. |
Enterprise | T1557 | Adversary-in-the-Middle |
Disable legacy network protocols that may be used to intercept network traffic if applicable, especially those that are not needed within an environment. |
|
.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. [2] |
||
.002 | ARP Cache Poisoning |
Consider disabling updating the ARP cache on gratuitous ARP replies. |
||
Enterprise | T1547 | .007 | Boot or Logon Autostart Execution: Re-opened Applications |
This feature can be disabled entirely with the following terminal command: |
Enterprise | T1059 | Command and Scripting Interpreter |
Disable or remove any unnecessary or unused shells or interpreters. |
|
.001 | PowerShell |
It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution. |
||
.005 | Visual Basic |
Turn off or restrict access to unneeded VB components. |
||
.007 | JavaScript |
Turn off or restrict access to unneeded scripting components. |
||
Enterprise | T1092 | Communication Through Removable Media |
Disable Autoruns if it is unnecessary.[3] |
|
Enterprise | T1609 | Container Administration Command |
Remove unnecessary tools and software from containers. |
|
Enterprise | T1555 | .004 | Credentials from Password Stores: Windows Credential Manager |
Consider enabling the "Network access: Do not allow storage of passwords and credentials for network authentication" setting that will prevent network credentials from being stored by the Credential Manager.[4] |
Enterprise | T1114 | .003 | Email Collection: Email Forwarding Rule |
Consider disabling external email forwarding.[5] |
Enterprise | T1611 | Escape to Host |
Remove unnecessary tools and software from containers. |
|
Enterprise | T1546 | .002 | Event Triggered Execution: Screensaver |
Use Group Policy to disable screensavers if they are unnecessary.[6] |
.014 | Event Triggered Execution: Emond |
Consider disabling emond by removing the Launch Daemon plist file. |
||
Enterprise | T1011 | Exfiltration Over Other Network Medium |
Disable WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel in local computer security settings or by group policy if it is not needed within an environment. |
|
.001 | Exfiltration Over Bluetooth |
Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment. |
||
Enterprise | T1052 | Exfiltration Over Physical Medium |
Disable Autorun if it is unnecessary. [3] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [7] |
|
.001 | Exfiltration over USB |
Disable Autorun if it is unnecessary. [3] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [7] |
||
Enterprise | T1210 | Exploitation of Remote Services |
Minimize available services to only those that are necessary. |
|
Enterprise | T1133 | External Remote Services |
Disable or block remotely available services that may be unnecessary. |
|
Enterprise | T1564 | .006 | Hide Artifacts: Run Virtual Instance |
Disable Hyper-V if not necessary within a given environment. |
.007 | Hide Artifacts: VBA Stomping |
Turn off or restrict access to unneeded VB components.[8] |
||
Enterprise | T1562 | .010 | Impair Defenses: Downgrade Attack |
Consider removing previous versions of tools that are unnecessary to the environment when possible. |
Enterprise | T1559 | Inter-Process Communication |
Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. [9][10][11] Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.[12] |
|
.002 | Dynamic Data Exchange |
Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. [9][10][11] Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.[12] |
||
Enterprise | T1046 | Network Service Discovery |
Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation. |
|
Enterprise | T1137 | Office Application Startup |
Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. [13] |
|
.001 | Office Template Macros |
Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. [13] |
||
Enterprise | T1219 | Remote Access Software |
Consider disabling unnecessary remote connection functionality, including both unapproved software installations and specific features built into supported applications. |
|
Enterprise | T1563 | Remote Service Session Hijacking |
Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary. |
|
.001 | SSH Hijacking |
Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. [14] |
||
.002 | RDP Hijacking |
Disable the RDP service if it is unnecessary. |
||
Enterprise | T1021 | Remote Services |
If remote services, such as the ability to make direct connections to cloud virtual machines, are not required, disable these connection types where feasible. |
|
.001 | Remote Desktop Protocol |
Disable the RDP service if it is unnecessary. |
||
.003 | Distributed Component Object Model |
Consider disabling DCOM through Dcomcnfg.exe.[15] |
||
.004 | SSH |
Disable the SSH daemon on systems that do not require it. For macOS ensure Remote Login is disabled under Sharing Preferences.[16] |
||
.005 | VNC |
Uninstall any VNC server software where not required. |
||
.006 | Windows Remote Management |
Disable the WinRM service. |
||
.008 | Direct Cloud VM Connections |
If direct virtual machine connections are not required for administrative use, disable these connection types where feasible. |
||
Enterprise | T1091 | Replication Through Removable Media |
Disable Autorun if it is unnecessary. [3] Disallow or restrict removable media at an organizational policy level if it is not required for business operations. [7] |
|
Enterprise | T1505 | Server Software Component |
Consider disabling software components from servers when possible to prevent abuse by adversaries.[17] |
|
.003 | Web Shell |
Consider disabling functions from web technologies such as PHP’s |
||
Enterprise | T1649 | Steal or Forge Authentication Certificates |
Consider disabling old/dangerous authentication protocols (e.g. NTLM), as well as unnecessary certificate features, such as potentially vulnerable AD CS web and other enrollment server roles.[18] |
|
Enterprise | T1553 | .005 | Subvert Trust Controls: Mark-of-the-Web Bypass |
Consider disabling auto-mounting of disk image files (i.e., .iso, .img, .vhd, and .vhdx). This can be achieved by modifying the Registry values related to the Windows Explorer file associations in order to disable the automatic Explorer "Mount and Burn" dialog for these file extensions. Note: this will not deactivate the mount functionality itself.[19] |
Enterprise | T1218 | System Binary Proxy Execution |
Many native binaries may not be necessary within a given environment. |
|
.003 | CMSTP |
CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation). |
||
.004 | InstallUtil |
InstallUtil may not be necessary within a given environment. |
||
.005 | Mshta |
Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. |
||
.007 | Msiexec |
Consider disabling the |
||
.008 | Odbcconf |
Odbcconf.exe may not be necessary within a given environment. |
||
.009 | Regsvcs/Regasm |
Regsvcs and Regasm may not be necessary within a given environment. |
||
.012 | Verclsid |
Consider removing verclsid.exe if it is not necessary within a given environment. |
||
.013 | Mavinject |
Consider removing mavinject.exe if Microsoft App-V is not used within a given environment. |
||
.014 | MMC |
MMC may not be necessary within a given environment since it is primarily used by system administrators, not regular users or clients. |
||
.015 | Electron Applications |
Remove or deny access to unnecessary and potentially vulnerable software and features to prevent abuse by adversaries. Many native binaries may not be necessary within a given environment: for example, consider disabling the Node.js integration in all renderers that display remote content to protect users by limiting adversaries’ power to plant malicious JavaScript within Electron applications.[21] |
||
Enterprise | T1221 | Template Injection |
Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents [22], though this setting may not mitigate the Forced Authentication use for this technique. |
|
Enterprise | T1205 | Traffic Signaling |
Disable Wake-on-LAN if it is not needed within an environment. |
|
Enterprise | T1127 | Trusted Developer Utilities Proxy Execution |
Specific developer utilities may not be necessary within a given environment and should be removed if not used. |
|
.001 | MSBuild |
MSBuild.exe may not be necessary within an environment and should be removed if not being used. |
||
Enterprise | T1552 | .005 | Unsecured Credentials: Cloud Instance Metadata API |
Disable unnecessary metadata services and restrict or disable insecure versions of metadata services that are in use to prevent adversary access.[23] |