Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.
Techniques Addressed by Mitigation
Require that all AppleScript be signed by a trusted developer ID before being executed - this will prevent random AppleScript code from executing. This subjects AppleScript code to the same scrutiny as other .app files passing through Gatekeeper.
|Enterprise||T1017||Application Deployment Software||
If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.
|Enterprise||T1525||Implant Container Image|
Enforce that all binaries be signed by the correct Apple Developer IDs.
Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.
On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key
Require signed binaries.
Set PowerShell execution policy to execute only signed scripts.
Enforce execution of only signed PowerShell scripts. Sign profiles to avoid them from being modified.
|Enterprise||T1505||Server Software Component||
Ensure all application component binaries are signed by the correct application developers.