Deploy capabilities that detect, block, and mitigate conditions indicative of software exploits. These capabilities aim to prevent exploitation by addressing vulnerabilities, monitoring anomalous behaviors, and applying exploit-mitigation techniques to harden systems and software.
Operating System Exploit Protections:
ExploitProtectionExportSettings.exe -path "exploit_settings.xml"
Linux: Use Kernel-level hardening features like SELinux, AppArmor, or GRSEC to enforce memory protections and prevent exploits.Third-Party Endpoint Security:
Virtual Patching:- Use Case: Use tools to implement virtual patches that mitigate vulnerabilities in applications or operating systems until official patches are applied.- Implementation: Use Intrusion Prevention System (IPS) to block exploitation attempts on known vulnerabilities in outdated applications.
Hardening Application Configurations:
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1189 | Drive-by Compromise |
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior.[1] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring.[2] Many of these protections depend on the architecture and target application binary for compatibility. |
|
Enterprise | T1190 | Exploit Public-Facing Application |
Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. |
|
Enterprise | T1203 | Exploitation for Client Execution |
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [1] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [2] Many of these protections depend on the architecture and target application binary for compatibility. |
|
Enterprise | T1212 | Exploitation for Credential Access |
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior.[1] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring.[2] Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion. |
|
Enterprise | T1211 | Exploitation for Defense Evasion |
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [1] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [2] Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion. |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [1] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [2] Many of these protections depend on the architecture and target application binary for compatibility and may not work for software components targeted for privilege escalation. |
|
Enterprise | T1210 | Exploitation of Remote Services |
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [1] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [2] Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted. |
|
Enterprise | T1218 | System Binary Proxy Execution |
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using using trusted binaries to bypass application control. |
|
.010 | Regsvr32 |
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass application control. [3] Identify and block potentially malicious software executed through regsvr32 functionality by using application control [4] tools, like Windows Defender Application Control[5], AppLocker, [6] [7] or Software Restriction Policies [8] where appropriate. [9] |
||
.011 | Rundll32 |
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control. |
||
.015 | Electron Applications |
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using trusted binaries to bypass application control. Ensure that Electron is updated to the latest version and critical vulnerabilities (such as nodeIntegration bypasses) are patched and cannot be exploited. |
||
Enterprise | T1080 | Taint Shared Content |
Use utilities that detect or mitigate common features used in exploitation, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET). |