The sub-techniques beta is now live! Read the release blog post for more info.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

ID: M1047
Version: 1.0
Created: 11 June 2019
Last Modified: 11 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1527 Application Access Token

Administrators can set up a variety of logs and leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.

Enterprise T1176 Browser Extensions

Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones.

Enterprise T1088 Bypass User Account Control

Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.

Enterprise T1081 Credentials in Files

Preemptively search for files containing passwords and take actions to reduce the exposure risk when found.

Enterprise T1214 Credentials in Registry

Proactively search for credentials within the Registry and attempt to remediate the risk.

Enterprise T1530 Data from Cloud Storage Object

Frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.

Enterprise T1213 Data from Information Repositories

Consider periodic review of accounts and privileges for critical and sensitive repositories.

Enterprise T1038 DLL Search Order Hijacking

Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses.[1]

Enterprise T1073 DLL Side-Loading

Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.

Enterprise T1482 Domain Trust Discovery

Map the trusts within existing domains/forests and keep trust relationships to a minimum.

Enterprise T1114 Email Collection

Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis.

In an Exchange environment, Administrators can use Get-InboxRule to discover and remove potentially malicious auto-forwarding rules.[6]

Enterprise T1044 File System Permissions Weakness

Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.[1]

Enterprise T1484 Group Policy Modification

Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as Bloodhound (version 1.5.1 and later).[5]

Enterprise T1525 Implant Container Image

Periodically check the integrity of images and containers used in cloud deployments to ensure they have not been modified to include malicious software.

Enterprise T1161 LC_LOAD_DYLIB Addition

Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn\u2019t included as part of an update, it should be investigated.

Enterprise T1031 Modify Existing Service

Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.

Enterprise T1034 Path Interception

Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.

Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.[2][3][4]

Enterprise T1145 Private Keys

Ensure only authorized keys are allowed access to critical resources and audit access lists regularly.

Enterprise T1076 Remote Desktop Protocol

Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups

Enterprise T1053 Scheduled Task

Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges.[1]

Enterprise T1505 Server Software Component

Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.

Enterprise T1528 Steal Application Access Token

Administrators should perform an audit of all OAuth applications and the permissions they have been granted to access organizational data. This should be done extensively on all applications in order to establish a baseline, followed up on with periodic audits of new or updated applications. Suspicious applications should be investigated and removed.

Enterprise T1078 Valid Accounts

Routinely audit source code, application configuration files, open repositories, and public cloud storage for insecure use and storage of credentials.

References