Update Software
Techniques Addressed by Mitigation |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | Abuse Elevation Control Mechanism |
Perform regular software updates to mitigate exploitation risk. |
|
T1548.002 | Bypass User Account Control |
Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.(Citation: Github UACMe) |
||
Enterprise | T1176 | Browser Extensions |
Ensure operating systems and browsers are using the most current version. |
|
Enterprise | T1110 | T1110.001 | Brute Force: Password Guessing |
Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords. |
Enterprise | T1555 | Credentials from Password Stores |
Perform regular software updates to mitigate exploitation risk. |
|
T1555.003 | Credentials from Web Browsers |
Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. |
||
T1555.005 | Password Managers |
Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. |
||
Enterprise | T1602 | Data from Configuration Repository |
Keep system images and software updated and migrate to SNMPv3.(Citation: Cisco Blog Legacy Device Attacks) |
|
T1602.001 | SNMP (MIB Dump) |
Keep system images and software updated and migrate to SNMPv3.(Citation: Cisco Blog Legacy Device Attacks) |
||
T1602.002 | Network Device Configuration Dump |
Keep system images and software updated and migrate to SNMPv3.(Citation: Cisco Blog Legacy Device Attacks) |
||
Enterprise | T1189 | Drive-by Compromise |
Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on. |
|
Enterprise | T1546 | Event Triggered Execution |
Perform regular software updates to mitigate exploitation risk. |
|
T1546.010 | AppInit DLLs |
Upgrade to Windows 8 or later and enable secure boot. |
||
T1546.011 | Application Shimming |
Microsoft released an optional patch update - KB3045645 - that will remove the "auto-elevate" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC. |
||
Enterprise | T1190 | Exploit Public-Facing Application |
Update software regularly by employing patch management for externally exposed applications. |
|
Enterprise | T1203 | Exploitation for Client Execution |
Perform regular software updates to mitigate exploitation risk. Keeping software up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities in client software, reducing the risk of successful attacks. |
|
Enterprise | T1212 | Exploitation for Credential Access |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
Enterprise | T1211 | Exploitation for Defense Evasion |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
Enterprise | T1210 | Exploitation of Remote Services |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
Enterprise | T1495 | Firmware Corruption |
Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities. |
|
Enterprise | T1574 | Hijack Execution Flow |
Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
|
T1574.002 | DLL Side-Loading |
Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
||
Enterprise | T1137 | Office Application Startup |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page) |
|
T1137.003 | Outlook Forms |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page) |
||
T1137.004 | Outlook Home Page |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page) |
||
T1137.005 | Outlook Rules |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page) |
||
Enterprise | T1542 | Pre-OS Boot |
Patch the BIOS and EFI as necessary. |
|
T1542.001 | System Firmware |
Patch the BIOS and EFI as necessary. |
||
T1542.002 | Component Firmware |
Perform regular firmware updates to mitigate risks of exploitation and/or abuse. |
||
Enterprise | T1072 | Software Deployment Tools |
Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation. |
|
Enterprise | T1539 | Steal Web Session Cookie |
Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. |
|
Enterprise | T1195 | Supply Chain Compromise |
A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
|
T1195.001 | Compromise Software Dependencies and Development Tools |
A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
||
T1195.002 | Compromise Software Supply Chain |
A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation. |
||
Enterprise | T1552 | Unsecured Credentials |
Apply patch KB2962486 which prevents credentials from being stored in GPPs.(Citation: ADSecurity Finding Passwords in SYSVOL)(Citation: MS14-025) |
|
T1552.006 | Group Policy Preferences |
Apply patch KB2962486 which prevents credentials from being stored in GPPs.(Citation: ADSecurity Finding Passwords in SYSVOL)(Citation: MS14-025) |
||
Enterprise | T1550 | T1550.002 | Use Alternate Authentication Material: Pass the Hash |
Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.(Citation: NSA Spotting) |
References
- National Security Agency/Central Security Service Information Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows Event Log Monitoring. Retrieved September 6, 2018.
- Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
- Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.
- UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.
- Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
- Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019.
- Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.