Perform regular software updates to mitigate exploitation risk.
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | Abuse Elevation Control Mechanism |
Perform regular software updates to mitigate exploitation risk. |
|
.002 | Bypass User Account Control |
Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.[1] |
||
.006 | TCC Manipulation |
Routinely update software. Where possible, ensure systems are macOS Sierra+ and SIP is enabled.[2] |
||
Enterprise | T1176 | Browser Extensions |
Ensure operating systems and browsers are using the most current version. |
|
Enterprise | T1110 | .001 | Brute Force: Password Guessing |
Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords. |
Enterprise | T1555 | Credentials from Password Stores |
Perform regular software updates to mitigate exploitation risk. |
|
.005 | Password Managers |
Update password managers regularly by employing patch management for internal enterprise endpoints and servers. |
||
Enterprise | T1602 | Data from Configuration Repository |
Keep system images and software updated and migrate to SNMPv3.[3] |
|
.001 | SNMP (MIB Dump) |
Keep system images and software updated and migrate to SNMPv3.[3] |
||
.002 | Network Device Configuration Dump |
Keep system images and software updated and migrate to SNMPv3.[3] |
||
Enterprise | T1189 | Drive-by Compromise |
Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on. |
|
Enterprise | T1546 | Event Triggered Execution |
Perform regular software updates to mitigate exploitation risk. |
|
.010 | AppInit DLLs |
Upgrade to Windows 8 or later and enable secure boot. |
||
.011 | Application Shimming |
Microsoft released an optional patch update - KB3045645 - that will remove the "auto-elevate" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC. |
||
Enterprise | T1190 | Exploit Public-Facing Application |
Update software regularly by employing patch management for externally exposed applications. |
|
Enterprise | T1212 | Exploitation for Credential Access |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
Enterprise | T1211 | Exploitation for Defense Evasion |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
Enterprise | T1210 | Exploitation of Remote Services |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
Enterprise | T1495 | Firmware Corruption |
Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities. |
|
Enterprise | T1574 | Hijack Execution Flow |
Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
|
.002 | DLL Side-Loading |
Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
||
Enterprise | T1137 | Office Application Startup |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[4] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[5] |
|
.003 | Outlook Forms |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[4] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[5] |
||
.004 | Outlook Home Page |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[4] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[5] |
||
.005 | Outlook Rules |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[4] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[5] |
||
Enterprise | T1542 | Pre-OS Boot |
Patch the BIOS and EFI as necessary. |
|
.001 | System Firmware |
Patch the BIOS and EFI as necessary. |
||
.002 | Component Firmware |
Perform regular firmware updates to mitigate risks of exploitation and/or abuse. |
||
Enterprise | T1072 | Software Deployment Tools |
Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation. |
|
Enterprise | T1195 | Supply Chain Compromise |
A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
|
.001 | Compromise Software Dependencies and Development Tools |
A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
||
.002 | Compromise Software Supply Chain |
A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation. |
||
Enterprise | T1552 | Unsecured Credentials |
Apply patch KB2962486 which prevents credentials from being stored in GPPs.[6][7] |
|
.006 | Group Policy Preferences |
Apply patch KB2962486 which prevents credentials from being stored in GPPs.[6][7] |
||
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.[8] |