Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
Techniques Addressed by Mitigation
|Enterprise||T1527||Application Access Token||
Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.
Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones.
|Enterprise||T1088||Bypass User Account Control||
Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.
|Enterprise||T1081||Credentials in Files||
Preemptively search for files containing passwords and take actions to reduce the exposure risk when found.
|Enterprise||T1214||Credentials in Registry||
Proactively search for credentials within the Registry and attempt to remediate the risk.
|Enterprise||T1530||Data from Cloud Storage Object||
Frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.
|Enterprise||T1213||Data from Information Repositories||
Consider periodic review of accounts and privileges for critical and sensitive repositories.
|Enterprise||T1038||DLL Search Order Hijacking||
Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses.
Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.
|Enterprise||T1482||Domain Trust Discovery||
Map the trusts within existing domains/forests and keep trust relationships to a minimum.
Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis.
In an Exchange environment, Administrators can use Get-InboxRule to discover and remove potentially malicious auto-forwarding rules.
|Enterprise||T1044||File System Permissions Weakness||
Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.
|Enterprise||T1484||Group Policy Modification||
Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as Bloodhound (version 1.5.1 and later).
|Enterprise||T1525||Implant Container Image||
Periodically check the integrity of images and containers used in cloud deployments to ensure they have not been modified to include malicious software.
Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn\u2019t included as part of an update, it should be investigated.
|Enterprise||T1031||Modify Existing Service||
Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.
Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.
Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.
Ensure only authorized keys are allowed access to critical resources and audit access lists regularly.
|Enterprise||T1076||Remote Desktop Protocol||
Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups
Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges.
|Enterprise||T1505||Server Software Component||
Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.
|Enterprise||T1528||Steal Application Access Token||
Administrators should perform an audit of all OAuth applications and the permissions they have been granted to access organizational data. This should be done extensively on all applications in order to establish a baseline, followed up on with periodic audits of new or updated applications. Suspicious applications should be investigated and removed.
Routinely audit source code, application configuration files, open repositories, and public cloud storage for insecure use and storage of credentials.
- Kanthak, S. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.
- Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.
- Search Results Web Result with Site Links Tim McMichael. (2014, July 28). Exchange and Office 365: Mail Forwarding. Retrieved August 27, 2019.