Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | Abuse Elevation Control Mechanism |
Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system. Ensuring that the sudo tty_tickets setting is enabled will prevent this leakage across tty sessions. |
|
.001 | Setuid and Setgid |
Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system. |
||
.003 | Sudo and Sudo Caching |
Ensuring that the |
||
.003 | Sudo and Sudo Caching |
Ensuring that the |
||
.003 | Sudo and Sudo Caching |
Ensuring that the |
||
Enterprise | T1087 | Account Discovery |
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located |
|
.001 | Local Account |
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at |
||
.002 | Domain Account |
Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at |
||
Enterprise | T1098 | Account Manipulation |
Protect domain controllers by ensuring proper security configuration for critical servers to limit access by potentially unnecessary protocols and services, such as SMB file sharing. |
|
Enterprise | T1197 | BITS Jobs |
Consider reducing the default BITS job lifetime in Group Policy or by editing the |
|
Enterprise | T1092 | Communication Through Removable Media |
Disallow or restrict removable media at an organizational policy level if they are not required for business operations.[3] |
|
Enterprise | T1136 | Create Account |
Protect domain controllers by ensuring proper security configuration for critical servers. |
|
.002 | Domain Account |
Protect domain controllers by ensuring proper security configuration for critical servers. |
||
Enterprise | T1543 | Create or Modify System Process |
Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed. |
|
.003 | Windows Service |
Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed. |
||
Enterprise | T1546 | .008 | Event Triggered Execution: Accessibility Features |
To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later.[4] |
Enterprise | T1011 | Exfiltration Over Other Network Medium |
Prevent the creation of new network adapters where possible.[5][6] |
|
.001 | Exfiltration Over Bluetooth |
Prevent the creation of new network adapters where possible. |
||
Enterprise | T1564 | .002 | Hide Artifacts: Hidden Users |
If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the |
Enterprise | T1574 | .006 | Hijack Execution Flow: Dynamic Linker Hijacking |
When System Integrity Protection (SIP) is enabled in macOS, the aforementioned environment variables are ignored when executing protected binaries. Third-party applications can also leverage Apple’s Hardened Runtime, ensuring these environment variables are subject to imposed restrictions.[7] Admins can add restrictions to applications by setting the setuid and/or setgid bits, use entitlements, or have a __RESTRICT segment in the Mach-O binary. |
Enterprise | T1562 | .003 | Impair Defenses: Impair Command History Logging |
Make sure that the |
Enterprise | T1490 | Inhibit System Recovery |
Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. |
|
Enterprise | T1036 | .007 | Masquerading: Double File Extension |
Disable the default to "hide file extensions for known file types" in Windows OS.[8][9] |
Enterprise | T1556 | Modify Authentication Process |
Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages. |
|
.002 | Password Filter DLL |
Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages. |
||
Enterprise | T1135 | Network Share Discovery |
Enable Windows Group Policy "Do Not Allow Anonymous Enumeration of SAM Accounts and Shares" security setting to limit users who can enumerate network shares.[10] |
|
Enterprise | T1003 | OS Credential Dumping |
Consider disabling or restricting NTLM.[11] Consider disabling WDigest authentication.[12] |
|
.001 | LSASS Memory |
Consider disabling or restricting NTLM.[11] Consider disabling WDigest authentication.[12] |
||
.002 | Security Account Manager |
Consider disabling or restricting NTLM.[11] |
||
.005 | Cached Domain Credentials |
Consider limiting the number of cached credentials (HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscountvalue)[13] |
||
Enterprise | T1542 | .005 | Pre-OS Boot: TFTP Boot |
Follow vendor device hardening best practices to disable unnecessary and unused features and services, avoid using default configurations and passwords, and introduce logging and auditing for detection. |
Enterprise | T1563 | .002 | Remote Service Session Hijacking: RDP Hijacking |
Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.[14] |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.[14] |
Enterprise | T1053 | Scheduled Task/Job |
Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at |
|
.002 | At |
Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at |
||
.005 | Scheduled Task |
Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. [15] |
||
Enterprise | T1553 | Subvert Trust Controls |
Windows Group Policy can be used to manage root certificates and the |
|
.004 | Install Root Certificate |
Windows Group Policy can be used to manage root certificates and the |
||
Enterprise | T1552 | Unsecured Credentials |
There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands: |
|
.003 | Bash History |
There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands: |