1. Home
  2. Mitigations
  3. Software Configuration

Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

ID: M1054
Version: 1.2
Created: 19 July 2019
Last Modified: 26 December 2023
Enterprise Layer
download view

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1546 .013 事件触发执行: PowerShell Profile

Avoid PowerShell profiles if not needed. Use the -No Profile flag with when executing PowerShell scripts remotely to prevent local profiles and scripts from being executed.
Enterprise T1213 从信息存储库获取数据

Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed.

.004 Customer Relationship Management Software

Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed.

Enterprise T1555 .005 从密码存储中获取凭证: Password Managers

Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases.
Enterprise T1602 从配置存储库获取数据

Allowlist MIB objects and implement SNMP views.[1]
.001 SNMP (MIB Dump)

Allowlist MIB objects and implement SNMP views.[1]
.002 Network Device Configuration Dump

Allowlist MIB objects and implement SNMP views. Disable Smart Install (SMI) if not used.[1][2]

Enterprise T1537 传输数据至云账户

Configure appropriate data sharing restrictions in cloud services. For example, external sharing in Microsoft SharePoint and Google Drive can be turned off altogether, blocked for certain domains, or restricted to certain users.[3] [4]
Enterprise T1606 伪造Web凭证

Configure browsers/applications to regularly delete persistent web credentials (such as cookies).
.001 Web Cookies

Configure browsers/applications to regularly delete persistent web cookies.
Enterprise T1550 .004 使用备用认证材料: Web Session Cookie

Configure browsers or tasks to regularly delete persistent cookies.
Enterprise T1598 信息钓鱼

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[5][6]
.002 Spearphishing Attachment

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[5][6]
.003 Spearphishing Link

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[5][6]

Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks. Browser password managers may also be configured to only populate credential fields when the URL matches that of the original, legitimate site.

Enterprise T1666 修改云资源层次结构

In Azure environments, consider setting a policy to block subscription transfers.[7] In AWS environments, consider using Service Control Policies to prevent the use of the LeaveOrganization API call.[8]
Enterprise T1543 创建或修改系统进程

Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container.
.005 Container Service

Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container.

Enterprise T1137 办公应用启动

For the Office Test method, create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. [9]
.002 Office Test

Create the Registry key used to execute it and set the permissions to "Read Control" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.[9]
Enterprise T1562 妨碍防御

Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.[10]
.006 Indicator Blocking

Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.
.009 Safe Mode Boot

Ensure that endpoint defenses run in safe mode.[11]
.010 Downgrade Attack

Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.[10]
Enterprise T1590 .002 收集受害者网络信息: DNS

Consider implementing policies for DNS servers, such as Zone Transfer Policies, that enforce a list of validated servers permitted for zone transfers.[12]
Enterprise T1535 未使用/不受支持的云区域

Cloud service providers may allow customers to deactivate unused regions.[13]
Enterprise T1539 窃取Web会话Cookie

Configure browsers or tasks to regularly delete persistent cookies.

Additionally, minimize the length of time a web cookie is viable to potentially reduce the impact of stolen cookies while also increasing the needed frequency of cookie theft attempts – providing defenders with additional chances at detection.[14] For example, use non-persistent cookies to limit the duration a session ID will remain on the web client cache where an attacker could obtain it.[15]
Enterprise T1559 进程间通信

Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.[16][17]
.002 Dynamic Data Exchange

Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.[16][17]
Enterprise T1566 钓鱼

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[5][6]
.001 Spearphishing Attachment

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[5][6]
.002 Spearphishing Link

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[5][6].

Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks.
Enterprise T1553 颠覆信任控制

HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. [18]
.004 Install Root Certificate

HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. [18]

References

  1. Cisco. (2006, May 10). Securing Simple Network Management Protocol. Retrieved October 19, 2020.
  2. US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
  3. Google. (n.d.). Manage external sharing for your organization. Retrieved March 4, 2024.
  4. Microsoft. (2023, October 11). Manage sharing settings for SharePoint and OneDrive in Microsoft 365. Retrieved March 4, 2024.
  5. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  6. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.
  7. Microsoft Azure. (2024, March 21). Manage Azure subscription policies. Retrieved September 25, 2024.
  8. Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024.
  9. Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.
  1. Chromium. (n.d.). HTTP Strict Transport Security. Retrieved May 24, 2023.
  2. Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.
  3. Microsoft. (2022). DNS Policies Overview. Retrieved June 6, 2024.
  4. CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019.
  5. Microsoft Incident Response. (2022, November 16). Token tactics: How to prevent, detect, and respond to cloud token theft. Retrieved December 26, 2023.
  6. OWASP CheatSheets Series Team. (n.d.). Session Management Cheat Sheet. Retrieved December 26, 2023.
  7. Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.
  8. Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.
  9. Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017.