The sub-techniques beta is now live! Read the release blog post for more info.

Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

ID: M1042
Version: 1.0
Created: 11 June 2019
Last Modified: 11 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1191 CMSTP

CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation).

Enterprise T1092 Communication Through Removable Media

Disable Autoruns if it is unnecessary.[1]

Enterprise T1175 Component Object Model and Distributed COM

Consider disabling DCOM through Dcomcnfg.exe.

Enterprise T1173 Dynamic Data Exchange

Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.[4][5][6][7]

Enterprise T1519 Emond

Consider disabling emond by removing the Launch Daemon plist file.

Enterprise T1052 Exfiltration Over Physical Medium

Disable Autorun if it is unnecessary. Disallow or restrict removable media at an organizational policy level if they are not required for business operations.[1][2]

Enterprise T1210 Exploitation of Remote Services

Minimize available services to only those that are necessary.

Enterprise T1133 External Remote Services

Disable or block remotely available services that may be unnecessary.

Enterprise T1118 InstallUtil

InstallUtil may not be necessary within a given environment.

Enterprise T1171 LLMNR/NBT-NS Poisoning and Relay

Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment.

Enterprise T1170 Mshta

Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life.

Enterprise T1046 Network Service Scanning

Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.

Enterprise T1137 Office Application Startup

Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing.

Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing.[9]

Enterprise T1086 PowerShell

It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions.

Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.

Enterprise T1164 Re-opened Applications

This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no.

Enterprise T1121 Regsvcs/Regasm

Regsvcs and Regasm may not be necessary within a given environment.

Enterprise T1076 Remote Desktop Protocol

Disable the RDP service if it is unnecessary.

Enterprise T1091 Replication Through Removable Media

Disable Autorun if it is unnecessary. Disallow or restrict removable media at an organizational policy level if it is not required for business operations.[1][2]

Enterprise T1180 Screensaver

Use Group Policy to disable screensavers if they are unnecessary.[8]

Enterprise T1064 Scripting

Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.

Enterprise T1184 SSH Hijacking

Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse.[3]

Enterprise T1221 Template Injection

Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents, though this setting may not mitigate the Forced Authentication use for this technique.[10]

Enterprise T1127 Trusted Developer Utilities

MSBuild.exe, dnx.exe, rcsi.exe, WinDbg.exe, cdb.exe, and tracker.exe may not be necessary within a given environment and should be removed if not used.

Enterprise T1028 Windows Remote Management

Disable the WinRM service.

References