The sub-techniques beta is now live! Read the release blog post for more info.

Application Isolation and Sandboxing

Restrict execution of code to a virtual environment on or in transit to an endpoint system.

ID: M1048
Version: 1.0
Created: 11 June 2019
Last Modified: 11 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1175 Component Object Model and Distributed COM

Ensure all COM alerts and Protected View are enabled.

Enterprise T1189 Drive-by Compromise

Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.

Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist for these types of systems.[1][2]

Enterprise T1173 Dynamic Data Exchange

Ensure Protected View is enabled.[3]

Enterprise T1190 Exploit Public-Facing Application

Application isolation will limit what other processes and system features the exploited target can access.

Enterprise T1203 Exploitation for Client Execution

Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.

Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. Risks of additional exploits and weaknesses in those systems may still exist.[1][2]

Enterprise T1212 Exploitation for Credential Access

Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.[2]

Enterprise T1211 Exploitation for Defense Evasion

Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.[2]

Enterprise T1068 Exploitation for Privilege Escalation

Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.[2]

Enterprise T1210 Exploitation of Remote Services

Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.[2]

Enterprise T1064 Scripting

Configure Office security settings enable Protected View, to execute within a sandbox environment, and to block macros through Group Policy. Other types of virtualization and application microsegmentation may also mitigate the impact of compromise.

References