Application Isolation and Sandboxing
Restrict execution of code to a virtual environment on or in transit to an endpoint system.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1189 | Drive-by Compromise |
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.[1][2] Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist for these types of systems.[2] |
|
| Enterprise | T1611 | Escape to Host |
Consider utilizing seccomp, seccomp-bpf, or a similar solution that restricts certain system calls such as mount. |
|
| Enterprise | T1190 | Exploit Public-Facing Application |
Application isolation will limit what other processes and system features the exploited target can access. |
|
| Enterprise | T1203 | Exploitation for Client Execution |
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. [1] [2] Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. Risks of additional exploits and weaknesses in those systems may still exist. [2] |
|
| Enterprise | T1212 | Exploitation for Credential Access |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.[2] |
|
| Enterprise | T1211 | Exploitation for Defense Evasion |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. [2] |
|
| Enterprise | T1068 | Exploitation for Privilege Escalation |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. [2] |
|
| Enterprise | T1210 | Exploitation of Remote Services |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. [2] |
|
| Enterprise | T1559 | Inter-Process Communication |
Ensure all COM alerts and Protected View are enabled.[3] |
|
| .001 | Component Object Model |
Ensure all COM alerts and Protected View are enabled.[3] |
||
| .002 | Dynamic Data Exchange |
Ensure Protected View is enabled.[3] |
||
| Enterprise | T1021 | .003 | Remote Services: Distributed Component Object Model |
Ensure all COM alerts and Protected View are enabled.[3] |