JUST RELEASED: ATT&CK for Industrial Control Systems

Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

ID: M1045
Version: 1.0
Created: 11 June 2019
Last Modified: 11 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1155 AppleScript

Require that all AppleScript be signed by a trusted developer ID before being executed - this will prevent random AppleScript code from executing. This subjects AppleScript code to the same scrutiny as other .app files passing through Gatekeeper.[1]

Enterprise T1017 Application Deployment Software

If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.

Enterprise T1525 Implant Container Image

Several cloud service providers support content trust models that require container images be signed by trusted sources.[3][4]

Enterprise T1161 LC_LOAD_DYLIB Addition

Enforce that all binaries be signed by the correct Apple Developer IDs.

Enterprise T1149 LC_MAIN Hijacking

Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.

Enterprise T1177 LSASS Driver

On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to dword:00000001. LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.[2]

Enterprise T1036 Masquerading

Require signed binaries.

Enterprise T1086 PowerShell

Set PowerShell execution policy to execute only signed scripts.

Enterprise T1504 PowerShell Profile

Enforce execution of only signed PowerShell scripts. Sign profiles to avoid them from being modified.

Enterprise T1505 Server Software Component

Ensure all application component binaries are signed by the correct application developers.

References