Update Software
Perform regular software updates to mitigate exploitation risk.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.[1] |
| Enterprise | T1176 | Browser Extensions |
Ensure operating systems and browsers are using the most current version. |
|
| Enterprise | T1555 | .005 | Credentials from Password Stores: Password Managers |
Update password managers regularly by employing patch management for internal enterprise endpoints and servers. |
| Enterprise | T1602 | Data from Configuration Repository |
Keep system images and software updated and migrate to SNMPv3.[2] |
|
| .001 | SNMP (MIB Dump) |
Keep system images and software updated and migrate to SNMPv3.[2] |
||
| .002 | Network Device Configuration Dump |
Keep system images and software updated and migrate to SNMPv3. [2] |
||
| Enterprise | T1189 | Drive-by Compromise |
Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on. |
|
| Enterprise | T1546 | .010 | Event Triggered Execution: AppInit DLLs |
Upgrade to Windows 8 or later and enable secure boot. |
| .011 | Event Triggered Execution: Application Shimming |
Microsoft released an optional patch update - KB3045645 - that will remove the "auto-elevate" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC. |
||
| Enterprise | T1190 | Exploit Public-Facing Application |
Update software regularly by employing patch management for externally exposed applications. |
|
| Enterprise | T1212 | Exploitation for Credential Access |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
| Enterprise | T1211 | Exploitation for Defense Evasion |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
| Enterprise | T1068 | Exploitation for Privilege Escalation |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
| Enterprise | T1210 | Exploitation of Remote Services |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
| Enterprise | T1495 | Firmware Corruption |
Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities. |
|
| Enterprise | T1574 | Hijack Execution Flow |
Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
|
| .002 | DLL Side-Loading |
Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
||
| Enterprise | T1137 | Office Application Startup |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[3] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[4] |
|
| .003 | Outlook Forms |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[3] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[4] |
||
| .004 | Outlook Home Page |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[3] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[4] |
||
| .005 | Outlook Rules |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[3] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[4] |
||
| Enterprise | T1542 | Pre-OS Boot |
Patch the BIOS and EFI as necessary. |
|
| .001 | System Firmware |
Patch the BIOS and EFI as necessary. |
||
| Enterprise | T1072 | Software Deployment Tools |
Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation. |
|
| Enterprise | T1195 | Supply Chain Compromise |
A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
|
| .001 | Compromise Software Dependencies and Development Tools |
A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
||
| .002 | Compromise Software Supply Chain |
A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation. |
||
| Enterprise | T1552 | Unsecured Credentials |
Apply patch KB2962486 which prevents credentials from being stored in GPPs.[5][6] |
|
| .006 | Group Policy Preferences |
Apply patch KB2962486 which prevents credentials from being stored in GPPs.[5][6] |
||
| Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.[7] |
References
- UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.
- Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
- Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019.
- Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019.
- Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
- Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.
- National Security Agency/Central Security Service Information Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows Event Log Monitoring. Retrieved September 6, 2018.