Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Restrict Registry Permissions

Restrict the ability to modify certain hives or keys in the Windows Registry.
ID: M1024
Version: 1.0
Created: 06 Jun 2019
Last Modified: 06 Jun 2019

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1547 T1547.003 Boot or Logon Autostart Execution: Time Providers

Consider using Group Policy to configure and block modifications to W32Time parameters in the Registry. (Citation: Microsoft W32Time May 2017)

Enterprise T1037 Boot or Logon Initialization Scripts

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.

T1037.001 Logon Script (Windows)

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.

Enterprise T1574 Hijack Execution Flow

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

T1574.011 Services Registry Permissions Weakness

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

T1574.012 COR_PROFILER

Ensure proper permissions are set for Registry hives to prevent users from modifying keys associated with COR_PROFILER.

Enterprise T1562 Impair Defenses

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

T1562.001 Disable or Modify Tools

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services.

T1562.002 Disable Windows Event Logging

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering logging. The addition of the MiniNT registry key disables Event Viewer.(Citation: def_ev_win_event_logging)

T1562.004 Disable or Modify System Firewall

Ensure proper Registry permissions are in place to prevent adversaries from disabling or modifying firewall settings.

Enterprise T1070 T1070.007 Indicator Removal: Clear Network Connection History and Configurations

Protect generated event files and logs that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Enterprise T1112 Modify Registry

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Enterprise T1505 Server Software Component

Consider using Group Policy to configure and block modifications to service and other critical server parameters in the Registry.(Citation: Microsoft System Services Fundamentals)

T1505.005 Terminal Services DLL

Consider using Group Policy to configure and block modifications to Terminal Services parameters in the Registry.(Citation: Microsoft System Services Fundamentals)

Enterprise T1489 Service Stop

Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.

Enterprise T1553 Subvert Trust Controls

Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.

T1553.003 SIP and Trust Provider Hijacking

Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.

T1553.006 Code Signing Policy Modification

Ensure proper permissions are set for the Registry to prevent users from modifying keys related to code signing policies.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.