Application Isolation and Sandboxing
Restrict execution of code to a virtual environment on or in transit to an endpoint system.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1212 | 凭据访问漏洞利用 |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.[1] |
|
| Enterprise | T1190 | 利用公开应用程序漏洞 |
Application isolation will limit what other processes and system features the exploited target can access. |
|
| Enterprise | T1203 | 客户端执行漏洞利用 |
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. [2] [1] Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. Risks of additional exploits and weaknesses in those systems may still exist. [1] |
|
| Enterprise | T1068 | 权限提升漏洞利用 |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. [1] |
|
| Enterprise | T1189 | 浏览器攻击 |
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.[2][1] Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist for these types of systems.[1] |
|
| Enterprise | T1027 | .006 | 混淆文件或信息: HTML Smuggling |
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. |
| Enterprise | T1559 | 进程间通信 |
Ensure all COM alerts and Protected View are enabled.[3] |
|
| .001 | Component Object Model |
Ensure all COM alerts and Protected View are enabled.[3] |
||
| .002 | Dynamic Data Exchange |
Ensure Protected View is enabled.[3] |
||
| Enterprise | T1021 | .003 | 远程服务: Distributed Component Object Model |
Ensure all COM alerts and Protected View are enabled.[3] |
| Enterprise | T1210 | 远程服务漏洞利用 |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. [1] |
|
| Enterprise | T1611 | 逃逸至主机 |
Consider utilizing seccomp, seccomp-bpf, or a similar solution that restricts certain system calls such as mount. In Kubernetes environments, consider defining Pod Security Standards that limit container access to host process namespaces, the host network, and the host file system.[4] |
|
| Enterprise | T1211 | 防御规避漏洞利用 |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. [1] |
|