Software Configuration
Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1602 | Data from Configuration Repository |
Allowlist MIB objects and implement SNMP views.[1] |
|
| .001 | SNMP (MIB Dump) |
Allowlist MIB objects and implement SNMP views.[1] |
||
| .002 | Network Device Configuration Dump |
Allowlist MIB objects and implement SNMP views. Disable Smart Install (SMI) if not used. [1] [2] |
||
| Enterprise | T1546 | .013 | Event Triggered Execution: PowerShell Profile |
Avoid PowerShell profiles if not needed. Use the -No Profile flag with when executing PowerShell scripts remotely to prevent local profiles and scripts from being executed. |
| Enterprise | T1606 | Forge Web Credentials |
Configure browsers/applications to regularly delete persistent web credentials (such as cookies). |
|
| .001 | Web Cookies |
Configure browsers/applications to regularly delete persistent web cookies. |
||
| Enterprise | T1562 | .006 | Impair Defenses: Indicator Blocking |
Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations. |
| Enterprise | T1559 | Inter-Process Communication |
Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.[3][4] |
|
| .002 | Dynamic Data Exchange |
Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.[3][4] |
||
| Enterprise | T1137 | Office Application Startup |
For the Office Test method, create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. [5] |
|
| .002 | Office Test |
Create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.[5] |
||
| Enterprise | T1539 | Steal Web Session Cookie |
Configure browsers or tasks to regularly delete persistent cookies. |
|
| Enterprise | T1553 | Subvert Trust Controls |
HTTP Public Key Pinning (HPKP) is one method to mitigate potential man-in-the-middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. [6] |
|
| .004 | Install Root Certificate |
HTTP Public Key Pinning (HPKP) is one method to mitigate potential man-in-the-middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. [6] |
||
| Enterprise | T1535 | Unused/Unsupported Cloud Regions |
Cloud service providers may allow customers to deactivate unused regions.[7] |
|
| Enterprise | T1550 | .004 | Use Alternate Authentication Material: Web Session Cookie |
Configure browsers or tasks to regularly delete persistent cookies. |
References
- Cisco. (2006, May 10). Securing Simple Network Management Protocol. Retrieved October 19, 2020.
- US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
- Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.
- Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.
- Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
- Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017.
- CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019.