Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1098 | .004 | Account Manipulation: SSH Authorized Keys |
Disable SSH if it is not necessary on a host or restrict SSH access for specific users/groups using |
| Enterprise | T1557 | Adversary-in-the-Middle |
Disable legacy network protocols that may be used to intercept network traffic if applicable, especially those that are not needed within an environment. |
|
| .001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. [1] |
||
| .002 | ARP Cache Poisoning |
Consider disabling updating the ARP cache on gratuitous ARP replies. |
||
| Enterprise | T1547 | .007 | Boot or Logon Autostart Execution: Re-opened Applications |
This feature can be disabled entirely with the following terminal command: |
| Enterprise | T1059 | Command and Scripting Interpreter |
Disable or remove any unnecessary or unused shells or interpreters. |
|
| .001 | PowerShell |
It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution. |
||
| .005 | Visual Basic |
Turn off or restrict access to unneeded VB components. |
||
| .007 | JavaScript |
Turn off or restrict access to unneeded scripting components. |
||
| Enterprise | T1092 | Communication Through Removable Media |
Disable Autoruns if it is unnecessary.[2] |
|
| Enterprise | T1555 | .004 | Credentials from Password Stores: Windows Credential Manager |
Consider enabling the "Network access: Do not allow storage of passwords and credentials for network authentication" setting that will prevent network credentials from being stored by the Credential Manager.[3] |
| Enterprise | T1114 | .003 | Email Collection: Email Forwarding Rule |
Consider disabling external email forwarding.[4] |
| Enterprise | T1546 | .002 | Event Triggered Execution: Screensaver |
Use Group Policy to disable screensavers if they are unnecessary.[5] |
| .014 | Event Triggered Execution: Emond |
Consider disabling emond by removing the Launch Daemon plist file. |
||
| Enterprise | T1011 | .001 | Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth |
Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment. |
| Enterprise | T1052 | Exfiltration Over Physical Medium |
Disable Autorun if it is unnecessary. [2] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [6] |
|
| .001 | Exfiltration over USB |
Disable Autorun if it is unnecessary. [2] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [6] |
||
| Enterprise | T1210 | Exploitation of Remote Services |
Minimize available services to only those that are necessary. |
|
| Enterprise | T1133 | External Remote Services |
Disable or block remotely available services that may be unnecessary. |
|
| Enterprise | T1564 | .006 | Hide Artifacts: Run Virtual Instance |
Disable Hyper-V if not necessary within a given environment. |
| .007 | Hide Artifacts: VBA Stomping |
Turn off or restrict access to unneeded VB components.[7] |
||
| Enterprise | T1562 | .010 | Impair Defenses: Downgrade Attack |
Consider removing previous versions of tools that are unnecessary to the environment when possible. |
| Enterprise | T1559 | Inter-Process Communication |
Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. [8][9][10] Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.[11] |
|
| .002 | Dynamic Data Exchange |
Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. [8][9][10] Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.[11] |
||
| Enterprise | T1046 | Network Service Scanning |
Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation. |
|
| Enterprise | T1137 | Office Application Startup |
Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. [12] |
|
| .001 | Office Template Macros |
Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. [12] |
||
| Enterprise | T1563 | Remote Service Session Hijacking |
Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary. |
|
| .001 | SSH Hijacking |
Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. [13] |
||
| .002 | RDP Hijacking |
Disable the RDP service if it is unnecessary. |
||
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Disable the RDP service if it is unnecessary. |
| .003 | Remote Services: Distributed Component Object Model |
Consider disabling DCOM through Dcomcnfg.exe.[14] |
||
| .004 | Remote Services: SSH |
Disable the SSH daemon on systems that do not require it. For macOS ensure Remote Login is disabled under Sharing Preferences.[15] |
||
| .005 | Remote Services: VNC |
Uninstall any VNC server software where not required. |
||
| .006 | Remote Services: Windows Remote Management |
Disable the WinRM service. |
||
| Enterprise | T1091 | Replication Through Removable Media |
Disable Autorun if it is unnecessary. [2] Disallow or restrict removable media at an organizational policy level if it is not required for business operations. [6] |
|
| Enterprise | T1505 | Server Software Component |
Consider disabling software components from servers when possible to prevent abuse by adversaries.[16] |
|
| .003 | Web Shell |
Consider disabling functions from web technologies such as PHP’s |
||
| Enterprise | T1218 | Signed Binary Proxy Execution |
Many native binaries may not be necessary within a given environment. |
|
| .003 | CMSTP |
CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation). |
||
| .004 | InstallUtil |
InstallUtil may not be necessary within a given environment. |
||
| .005 | Mshta |
Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. |
||
| .007 | Msiexec |
Consider disabling the |
||
| .008 | Odbcconf |
Odbcconf.exe may not be necessary within a given environment. |
||
| .009 | Regsvcs/Regasm |
Regsvcs and Regasm may not be necessary within a given environment. |
||
| .012 | Verclsid |
Consider removing verclsid.exe if it is not necessary within a given environment. |
||
| .013 | Mavinject |
Consider removing mavinject.exe if Microsoft App-V is not used within a given environment. |
||
| .014 | MMC |
MMC may not be necessary within a given environment since it is primarily used by system administrators, not regular users or clients. |
||
| Enterprise | T1221 | Template Injection |
Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents [18], though this setting may not mitigate the Forced Authentication use for this technique. |
|
| Enterprise | T1205 | Traffic Signaling |
Disable Wake-on-LAN if it is not needed within an environment. |
|
| Enterprise | T1127 | Trusted Developer Utilities Proxy Execution |
Specific developer utilities may not be necessary within a given environment and should be removed if not used. |
|
| .001 | MSBuild |
MSBuild.exe may not be necessary within an environment and should be removed if not being used. |
||
| Enterprise | T1552 | .005 | Unsecured Credentials: Cloud Instance Metadata API |
Disable unnecessary metadata services and restrict or disable insecure versions of metadata services that are in use to prevent adversary access.[19] |
References
- Metcalf, S. (2016, October 21). Securing Windows Workstations: Developing a Secure Baseline. Retrieved November 17, 2017.
- Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016.
- Microsoft. (2016, August 31). Network access: Do not allow storage of passwords and credentials for network authentication. Retrieved November 23, 2020.
- Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021.
- Microsoft. (n.d.). Customizing the Desktop. Retrieved December 5, 2017.
- Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.
- Microsoft. (2020, January 23). How to turn off Visual Basic for Applications when you deploy Office. Retrieved September 17, 2020.
- Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.
- Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.
- Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.
- Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018.
- Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved July 3, 2017.
- Hatch, B. (2004, November 22). SSH and ssh-agent. Retrieved January 8, 2018.
- Microsoft. (n.d.). Enable or Disable DCOM. Retrieved November 22, 2017.
- Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.
- Kondratiev, A. (n.d.). Disabling dangerous PHP functions. Retrieved July 26, 2021.
- Microsoft. (2018, May 31). AlwaysInstallElevated. Retrieved December 14, 2020.
- Microsoft. (n.d.). Enable or disable macros in Office files. Retrieved September 13, 2018.
- MacCarthaigh, C. (2019, November 19). Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service. Retrieved October 14, 2020.