Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Limit Software Installation

Prevent users or groups from installing unauthorized or unapproved software to reduce the risk of introducing malicious or vulnerable applications. This can be achieved through allowlists, software restriction policies, endpoint management tools, and least privilege access principles. This mitigation can be implemented through the following measures: Application Whitelisting - Implement Microsoft AppLocker or Windows Defender Application Control (WDAC) to create and enforce allowlists for approved software. - Whitelist applications based on file hash, path, or digital signatures. Restrict User Permissions - Remove local administrator rights for all non-IT users. - Use Role-Based Access Control (RBAC) to restrict installation permissions to privileged accounts only. Software Restriction Policies (SRP) - Use GPO to configure SRP to deny execution of binaries from directories such as `%AppData%`, `%Temp%`, and external drives. - Restrict specific file types (`.exe`, `.bat`, `.msi`, `.js`, `.vbs`) to trusted directories only. Endpoint Management Solutions - Deploy tools like Microsoft Intune, SCCM, or Jamf for centralized software management. - Maintain a list of approved software, versions, and updates across the enterprise. Monitor Software Installation Events - Enable logging of software installation events and monitor Windows Event ID 4688 and Event ID 11707 for software installs. - Use SIEM or EDR tools to alert on attempts to install unapproved software. Implement Software Inventory Management - Use tools like OSQuery or Wazuh to scan for unauthorized software on endpoints and servers. - Conduct regular audits to detect and remove unapproved software. *Tools for Implementation* Application Whitelisting: - Microsoft AppLocker - Windows Defender Application Control (WDAC) Endpoint Management: - Microsoft Intune - SCCM (System Center Configuration Manager) - Jamf Pro (macOS) - Puppet or Ansible for automation Software Restriction Policies: - Group Policy Object (GPO) - Microsoft Software Restriction Policies (SRP) Monitoring and Logging: - Splunk - OSQuery - Wazuh (open-source SIEM and XDR) - EDRs Inventory Management and Auditing: - OSQuery - Wazuh

ID: M1033

Version: 1.1

Created: 11 Jun 2019

Last Modified: 18 Dec 2024

Domain	ID		Name	Use
Techniques Addressed by Mitigation
Enterprise	T1195		Supply Chain Compromise	Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones.(Citation: Cider Security Top 10 CICD Security Risks)
		T1195.001	Compromise Software Dependencies and Development Tools	Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones.(Citation: Cider Security Top 10 CICD Security Risks)
Enterprise	T1059		Command and Scripting Interpreter	Prevent user installation of unrequired command and scripting interpreters.
		T1059.006	Python	Prevent users from installing Python where not required.
		T1059.011	Lua	Prevent users from installing Lua where not required.
Enterprise	T1564		Hide Artifacts	Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it.
		T1564.003	Hidden Window	Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it.
Enterprise	T1176		Software Extensions	Only install extensions from trusted sources that can be verified.
		T1176.001	Browser Extensions	Only install browser extensions from trusted sources that can be verified. Browser extensions for some browsers can be controlled through Group Policy. Change settings to prevent the browser from installing extensions without sufficient permissions.
		T1176.002	IDE Extensions	Only install IDE extensions from trusted sources that can be verified.
Enterprise	T1543		Create or Modify System Process	Restrict software installation to trusted repositories only and be cautious of orphaned software packages.
		T1543.002	Systemd Service	Restrict software installation to trusted repositories only and be cautious of orphaned software packages.
Enterprise	T1072		Software Deployment Tools	Restrict the use of third-party software suites installed within an enterprise network.
Enterprise	T1547	T1547.013	Boot or Logon Autostart Execution: XDG Autostart Entries	Restrict software installation to trusted repositories only and be cautious of orphaned software packages.
Enterprise	T1021	T1021.005	Remote Services: VNC	Restrict software installation to user groups that require it. A VNC server must be manually installed by the user or adversary.

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Limit Software Installation

Techniques Addressed by Mitigation

References