Software Configuration
Techniques Addressed by Mitigation |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | T1555.005 | Credentials from Password Stores: Password Managers |
Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases. |
| Enterprise | T1602 | Data from Configuration Repository |
Allowlist MIB objects and implement SNMP views.(Citation: Cisco Securing SNMP) |
|
| T1602.001 | SNMP (MIB Dump) |
Allowlist MIB objects and implement SNMP views.(Citation: Cisco Securing SNMP) |
||
| T1602.002 | Network Device Configuration Dump |
Allowlist MIB objects and implement SNMP views. Disable Smart Install (SMI) if not used.(Citation: Cisco Securing SNMP)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) |
||
| Enterprise | T1546 | T1546.013 | Event Triggered Execution: PowerShell Profile |
Avoid PowerShell profiles if not needed. Use the -No Profile flag with when executing PowerShell scripts remotely to prevent local profiles and scripts from being executed. |
| Enterprise | T1606 | Forge Web Credentials |
Configure browsers/applications to regularly delete persistent web credentials (such as cookies). |
|
| T1606.001 | Web Cookies |
Configure browsers/applications to regularly delete persistent web cookies. |
||
| Enterprise | T1562 | T1562.006 | Impair Defenses: Indicator Blocking |
Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations. |
| T1562.009 | Safe Mode Boot |
Ensure that endpoint defenses run in safe mode.(Citation: CyberArk Labs Safe Mode 2016) |
||
| Enterprise | T1559 | Inter-Process Communication |
Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.(Citation: Enigma Reviving DDE Jan 2018)(Citation: GitHub Disable DDEAUTO Oct 2017) |
|
| T1559.002 | Dynamic Data Exchange |
Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.(Citation: Enigma Reviving DDE Jan 2018)(Citation: GitHub Disable DDEAUTO Oct 2017) |
||
| Enterprise | T1137 | Office Application Startup |
For the Office Test method, create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. (Citation: Palo Alto Office Test Sofacy) |
|
| T1137.002 | Office Test |
Create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.(Citation: Palo Alto Office Test Sofacy) |
||
| Enterprise | T1566 | Phishing |
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) |
|
| T1566.001 | Spearphishing Attachment |
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) |
||
| T1566.002 | Spearphishing Link |
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing). Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks. |
||
| Enterprise | T1598 | Phishing for Information |
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) |
|
| T1598.002 | Spearphishing Attachment |
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) |
||
| T1598.003 | Spearphishing Link |
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks. Browser password managers may also be configured to only populate credential fields when the URL matches that of the original, legitimate site. |
||
| Enterprise | T1539 | Steal Web Session Cookie |
Configure browsers or tasks to regularly delete persistent cookies. |
|
| Enterprise | T1553 | Subvert Trust Controls |
HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP) |
|
| T1553.004 | Install Root Certificate |
HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP) |
||
| Enterprise | T1535 | Unused/Unsupported Cloud Regions |
Cloud service providers may allow customers to deactivate unused regions.(Citation: CloudSploit - Unused AWS Regions) |
|
| Enterprise | T1550 | T1550.004 | Use Alternate Authentication Material: Web Session Cookie |
Configure browsers or tasks to regularly delete persistent cookies. |
References
- Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.
- Cisco. (2006, May 10). Securing Simple Network Management Protocol. Retrieved October 19, 2020.
- Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
- Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
- Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.
- Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.
- Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017.
- Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
- US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
- CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.