Update Software

Perform regular software updates to mitigate exploitation risk.

ID: M1051
Version: 1.0
Created: 11 June 2019
Last Modified: 07 July 2020

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1548 Abuse Elevation Control Mechanism

Perform regular software updates to mitigate exploitation risk.

.002 Bypass User Account Control

Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.[1]

.006 TCC Manipulation

Routinely update software. Where possible, ensure systems are macOS Sierra+ and SIP is enabled.[2]

Enterprise T1176 Browser Extensions

Ensure operating systems and browsers are using the most current version.

Enterprise T1110 .001 Brute Force: Password Guessing

Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords.

Enterprise T1555 Credentials from Password Stores

Perform regular software updates to mitigate exploitation risk.

.005 Password Managers

Update password managers regularly by employing patch management for internal enterprise endpoints and servers.

Enterprise T1602 Data from Configuration Repository

Keep system images and software updated and migrate to SNMPv3.[3]

.001 SNMP (MIB Dump)

Keep system images and software updated and migrate to SNMPv3.[3]

.002 Network Device Configuration Dump

Keep system images and software updated and migrate to SNMPv3.[3]

Enterprise T1189 Drive-by Compromise

Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on.

Enterprise T1546 Event Triggered Execution

Perform regular software updates to mitigate exploitation risk.

.010 AppInit DLLs

Upgrade to Windows 8 or later and enable secure boot.

.011 Application Shimming

Microsoft released an optional patch update - KB3045645 - that will remove the "auto-elevate" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC.

Enterprise T1190 Exploit Public-Facing Application

Update software regularly by employing patch management for externally exposed applications.

Enterprise T1212 Exploitation for Credential Access

Update software regularly by employing patch management for internal enterprise endpoints and servers.

Enterprise T1211 Exploitation for Defense Evasion

Update software regularly by employing patch management for internal enterprise endpoints and servers.

Enterprise T1068 Exploitation for Privilege Escalation

Update software regularly by employing patch management for internal enterprise endpoints and servers.

Enterprise T1210 Exploitation of Remote Services

Update software regularly by employing patch management for internal enterprise endpoints and servers.

Enterprise T1495 Firmware Corruption

Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities.

Enterprise T1574 Hijack Execution Flow

Update software regularly to include patches that fix DLL side-loading vulnerabilities.

.002 DLL Side-Loading

Update software regularly to include patches that fix DLL side-loading vulnerabilities.

Enterprise T1137 Office Application Startup

For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[4] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[5]

.003 Outlook Forms

For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[4] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[5]

.004 Outlook Home Page

For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[4] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[5]

.005 Outlook Rules

For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[4] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[5]

Enterprise T1542 Pre-OS Boot

Patch the BIOS and EFI as necessary.

.001 System Firmware

Patch the BIOS and EFI as necessary.

.002 Component Firmware

Perform regular firmware updates to mitigate risks of exploitation and/or abuse.

Enterprise T1072 Software Deployment Tools

Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation.

Enterprise T1195 Supply Chain Compromise

A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.

.001 Compromise Software Dependencies and Development Tools

A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.

.002 Compromise Software Supply Chain

A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation.

Enterprise T1552 Unsecured Credentials

Apply patch KB2962486 which prevents credentials from being stored in GPPs.[6][7]

.006 Group Policy Preferences

Apply patch KB2962486 which prevents credentials from being stored in GPPs.[6][7]

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.[8]

References