Execution Prevention
Techniques Addressed by Mitigation |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | Abuse Elevation Control Mechanism |
System settings can prevent applications from running that haven't been downloaded from legitimate repositories which may help mitigate some of these issues. Not allowing unsigned applications from being run may also mitigate some risk. |
|
| T1548.004 | Elevated Execution with Prompt |
System settings can prevent applications from running that haven't been downloaded through the Apple Store which may help mitigate some of these issues. Not allowing unsigned applications from being run may also mitigate some risk. |
||
| Enterprise | T1547 | T1547.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
Identify and block potentially malicious software that may be executed through the Winlogon helper process by using application control (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs. |
| T1547.006 | Kernel Modules and Extensions |
Application control and software restriction tools, such as SELinux, KSPP, grsecurity MODHARDEN, and Linux kernel tuning can aid in restricting kernel module loading.(Citation: Kernel.org Restrict Kernel Module)(Citation: Wikibooks Grsecurity)(Citation: Kernel Self Protection Project)(Citation: Increasing Linux kernel integrity)(Citation: LKM loading kernel restrictions) |
||
| Enterprise | T1176 | Browser Extensions |
Set a browser extension allow or deny list as appropriate for your security policy. (Citation: Technospot Chrome Extensions GP) |
|
| Enterprise | T1059 | Command and Scripting Interpreter |
Use application control where appropriate. |
|
| T1059.001 | PowerShell |
Use application control where appropriate. |
||
| T1059.002 | AppleScript |
Use application control where appropriate. |
||
| T1059.003 | Windows Command Shell |
Use application control where appropriate. |
||
| T1059.004 | Unix Shell |
Use application control where appropriate. |
||
| T1059.005 | Visual Basic |
Use application control where appropriate. VBA macros obtained from the Internet, based on the file's Mark of the Web (MOTW) attribute, may be blocked from executing in Office applications (ex: Access, Excel, PowerPoint, Visio, and Word) by default starting in Windows Version 2203.(Citation: Default VBS macros Blocking ) |
||
| T1059.006 | Python |
Denylist Python where not required. |
||
| T1059.007 | JavaScript |
Denylist scripting where appropriate. |
||
| T1059.008 | Network Device CLI |
TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization. (Citation: Cisco IOS Software Integrity Assurance - TACACS) |
||
| Enterprise | T1609 | Container Administration Command |
Use read-only containers, read-only file systems, and minimal images when possible to prevent the execution of commands.(Citation: Kubernetes Hardening Guide) |
|
| Enterprise | T1611 | Escape to Host |
Use read-only containers, read-only file systems, and minimal images when possible to prevent the running of commands.(Citation: Kubernetes Hardening Guide) |
|
| Enterprise | T1546 | T1546.002 | Event Triggered Execution: Screensaver |
Block .scr files from being executed from non-standard locations. |
| T1546.006 | LC_LOAD_DYLIB Addition |
Allow applications via known hashes. |
||
| T1546.008 | Accessibility Features |
Adversaries can replace accessibility features binaries with alternate binaries to execute this technique. Identify and block potentially malicious software executed through accessibility features functionality by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP) |
||
| T1546.009 | AppCert DLLs |
Adversaries install new AppCertDLL binaries to execute this technique. Identify and block potentially malicious software executed through AppCertDLLs functionality by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP) |
||
| T1546.010 | AppInit DLLs |
Adversaries can install new AppInit DLLs binaries to execute this technique. Identify and block potentially malicious software executed through AppInit DLLs functionality by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP) |
||
| Enterprise | T1068 | Exploitation for Privilege Escalation |
Consider blocking the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode. Validate driver block rules in audit mode to ensure stability prior to production deployment.(Citation: Microsoft Driver Block Rules) |
|
| Enterprise | T1564 | T1564.003 | Hide Artifacts: Hidden Window |
Limit or restrict program execution using anti-virus software. On MacOS, allowlist programs that are allowed to have the plist tag. All other programs should be considered suspicious. |
| T1564.006 | Run Virtual Instance |
Use application control to mitigate installation and use of unapproved virtualization software. |
||
| Enterprise | T1574 | Hijack Execution Flow |
Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software. |
|
| T1574.001 | DLL Search Order Hijacking |
Adversaries may use new DLLs to execute this technique. Identify and block potentially malicious software executed through search order hijacking by using application control solutions capable of blocking DLLs loaded by legitimate software. |
||
| T1574.006 | Dynamic Linker Hijacking |
Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software. |
||
| T1574.007 | Path Interception by PATH Environment Variable |
Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction ) |
||
| T1574.008 | Path Interception by Search Order Hijacking |
Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction ) |
||
| T1574.009 | Path Interception by Unquoted Path |
Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction ) |
||
| T1574.012 | COR_PROFILER |
Identify and block potentially malicious unmanaged COR_PROFILER profiling DLLs by using application control solutions like AppLocker that are capable of auditing and/or blocking unapproved DLLs.(Citation: Beechey 2010)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) |
||
| Enterprise | T1562 | Impair Defenses |
Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems. |
|
| T1562.001 | Disable or Modify Tools |
Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems. |
||
| Enterprise | T1036 | Masquerading |
Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed. |
|
| T1036.005 | Match Legitimate Name or Location |
Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed. |
||
| Enterprise | T1106 | Native API |
Identify and block potentially malicious software executed that may be executed through this technique by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP) |
|
| Enterprise | T1219 | Remote Access Software |
Use application control to mitigate installation and use of unapproved software that can be used for remote access. |
|
| Enterprise | T1505 | T1505.004 | Server Software Component: IIS Components |
Restrict unallowed ISAPI extensions and filters from running by specifying a list of ISAPI extensions and filters that can run on IIS.(Citation: Microsoft ISAPICGIRestriction 2016) |
| Enterprise | T1129 | Shared Modules |
Identify and block potentially malicious software executed through this technique by using application control tools capable of preventing unknown DLLs from being loaded. |
|
| Enterprise | T1553 | Subvert Trust Controls |
System settings can prevent applications from running that haven't been downloaded through the Apple Store (or other legitimate repositories) which can help mitigate some of these issues. Also enable application control solutions such as AppLocker and/or Device Guard to block the loading of malicious content. |
|
| T1553.001 | Gatekeeper Bypass |
System settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues. |
||
| T1553.003 | SIP and Trust Provider Hijacking |
Enable application control solutions such as AppLocker and/or Device Guard to block the loading of malicious SIP DLLs. |
||
| T1553.005 | Mark-of-the-Web Bypass |
Consider blocking container file types at web and/or email gateways. Consider unregistering container file extensions in Windows File Explorer.(Citation: Dormann Dangers of VHD 2019) |
||
| Enterprise | T1218 | System Binary Proxy Execution |
Consider using application control to prevent execution of binaries that are susceptible to abuse and not required for a given system or network. |
|
| T1218.001 | Compiled HTML File |
Consider using application control to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
||
| T1218.002 | Control Panel |
Identify and block potentially malicious and unknown .cpl files by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP) |
||
| T1218.003 | CMSTP |
Consider using application control configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
||
| T1218.004 | InstallUtil |
Use application control configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
||
| T1218.005 | Mshta |
Use application control configured to block execution of |
||
| T1218.008 | Odbcconf |
Use application control configured to block execution of Odbcconf.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
||
| T1218.009 | Regsvcs/Regasm |
Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries. |
||
| T1218.012 | Verclsid |
Use application control configured to block execution of verclsid.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
||
| T1218.013 | Mavinject |
Use application control configured to block execution of mavinject.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
||
| T1218.014 | MMC |
Use application control configured to block execution of MMC if it is not required for a given system or network to prevent potential misuse by adversaries. |
||
| Enterprise | T1216 | System Script Proxy Execution |
Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries. |
|
| T1216.001 | PubPrn |
Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries. |
||
| Enterprise | T1080 | Taint Shared Content |
Identify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using application control (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP) |
|
| Enterprise | T1127 | Trusted Developer Utilities Proxy Execution |
Certain developer utilities should be blocked or restricted if not required. |
|
| T1127.001 | MSBuild |
Use application control configured to block execution of |
||
| Enterprise | T1204 | User Execution |
Application control may be able to prevent the running of executables masquerading as other files. |
|
| T1204.002 | Malicious File |
Application control may be able to prevent the running of executables masquerading as other files. |
||
| Enterprise | T1047 | Windows Management Instrumentation |
Use application control configured to block execution of |
|
| Enterprise | T1220 | XSL Script Processing |
If msxsl.exe is unnecessary, then block its execution to prevent abuse by adversaries. |
|
References
- Mohta, A. (n.d.). Block Chrome Extensions using Google Chrome Group Policy Settings. Retrieved January 10, 2018.
- Boelen, M. (2015, October 7). Increase kernel integrity with disabled Linux kernel modules loading. Retrieved June 4, 2020.
- Kernel.org. (2020, February 6). Kernel Self-Protection. Retrieved June 4, 2020.
- Pingios, A.. (2018, February 7). LKM loading kernel restrictions. Retrieved June 4, 2020.
- Vander Stoep, J. (2016, April 5). [v3] selinux: restrict kernel module loadinglogin register. Retrieved April 9, 2018.
- Wikibooks. (2018, August 19). Grsecurity/The RBAC System. Retrieved June 4, 2020.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
- Beechey, J.. (2014, November 18). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Corio, C., & Sayana, D. P.. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
- Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020.
- Dormann, W. (2019, September 4). The Dangers of VHD and VHDX Files. Retrieved March 16, 2021.
- Coulter, D. et al.. (2019, April 9). Microsoft recommended block rules. Retrieved August 12, 2021.
- Microsoft. (2016, September 26). ISAPI/CGI Restrictions <isapiCgiRestriction>. Retrieved June 3, 2021.
- Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.
- Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022.
- National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.