The sub-techniques beta is now live! Read the release blog post for more info.
MITIGATIONS
Enterprise
Restrict Web-Based Content
Mobile
MITIGATIONS
Enterprise
A-C
D-F
G-I
No mitigations
J-L
M-O
P-R
S-U
V-X
Y-Z
No mitigations
Mobile
A-C
D-F
G-I
J-L
M-O
No mitigations
P-R
No mitigations
S-U
V-X
No mitigations
Y-Z
No mitigations
  1. Home
  2. Mitigations
  3. Software Configuration

Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

ID: M1054
Version: 1.0
Created: 19 July 2019
Last Modified: 19 July 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1173 Dynamic Data Exchange

Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.[1][2]
Enterprise T1054 Indicator Blocking

Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.
Enterprise T1130 Install Root Certificate

HTTP Public Key Pinning (HPKP) is one method to mitigate potential man-in-the-middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate.[3]
Enterprise T1137 Office Application Startup

For the Office Test method, create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.[4]
Enterprise T1504 PowerShell Profile

Avoid PowerShell profiles if not needed. Use the -No Profile flag with when executing PowerShell scripts remotely to prevent local profiles and scripts from being executed.

Enterprise T1539 Steal Web Session Cookie

Configure browsers or tasks to regularly delete persistent cookies.
Enterprise T1535 Unused/Unsupported Cloud Regions

Cloud service providers may allow customers to deactivate unused regions.[5]
Enterprise T1506 Web Session Cookie

Configure browsers or tasks to regularly delete persistent cookies.

References

  1. Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.
  2. Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.
  3. Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017.
  1. Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
  2. CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019.