Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

ID: M1028
Version: 1.1
Created: 06 June 2019
Last Modified: 19 June 2020

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1548 Abuse Elevation Control Mechanism

Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system. Ensuring that the sudo tty_tickets setting is enabled will prevent this leakage across tty sessions.

.001 Setuid and Setgid

Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system.

.003 Sudo and Sudo Caching

Ensuring that the tty_tickets setting is enabled will prevent this leakage across tty sessions.

.003 Sudo and Sudo Caching

Ensuring that the tty_tickets setting is enabled will prevent this leakage across tty sessions.

.003 Sudo and Sudo Caching

Ensuring that the tty_tickets setting is enabled will prevent this leakage across tty sessions.

Enterprise T1087 Account Discovery

Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. [1]

.001 Local Account

Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation.[1]

.002 Domain Account

Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation.[1]

Enterprise T1098 Account Manipulation

Protect domain controllers by ensuring proper security configuration for critical servers to limit access by potentially unnecessary protocols and services, such as SMB file sharing.

Enterprise T1197 BITS Jobs

Consider reducing the default BITS job lifetime in Group Policy or by editing the JobInactivityTimeout and MaxDownloadTime Registry values in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS.[2]

Enterprise T1092 Communication Through Removable Media

Disallow or restrict removable media at an organizational policy level if they are not required for business operations.[3]

Enterprise T1136 Create Account

Protect domain controllers by ensuring proper security configuration for critical servers.

.002 Domain Account

Protect domain controllers by ensuring proper security configuration for critical servers.

Enterprise T1543 Create or Modify System Process

Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.

.003 Windows Service

Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.

Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later.[4]

Enterprise T1011 Exfiltration Over Other Network Medium

Prevent the creation of new network adapters where possible.[5][6]

.001 Exfiltration Over Bluetooth

Prevent the creation of new network adapters where possible.

Enterprise T1564 .002 Hide Artifacts: Hidden Users

If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the /Library/Preferences/com.apple.loginwindow Hide500Users value will force all users to be visible.

Enterprise T1574 .006 Hijack Execution Flow: Dynamic Linker Hijacking

When System Integrity Protection (SIP) is enabled in macOS, the aforementioned environment variables are ignored when executing protected binaries. Third-party applications can also leverage Apple’s Hardened Runtime, ensuring these environment variables are subject to imposed restrictions.[7] Admins can add restrictions to applications by setting the setuid and/or setgid bits, use entitlements, or have a __RESTRICT segment in the Mach-O binary.

Enterprise T1562 .003 Impair Defenses: Impair Command History Logging

Make sure that the HISTCONTROL environment variable is set to "ignoredups" instead of "ignoreboth" or "ignorespace".

Enterprise T1490 Inhibit System Recovery

Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery.

Enterprise T1036 .007 Masquerading: Double File Extension

Disable the default to "hide file extensions for known file types" in Windows OS.[8][9]

Enterprise T1556 Modify Authentication Process

Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages.

.002 Password Filter DLL

Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages.

Enterprise T1135 Network Share Discovery

Enable Windows Group Policy "Do Not Allow Anonymous Enumeration of SAM Accounts and Shares" security setting to limit users who can enumerate network shares.[10]

Enterprise T1003 OS Credential Dumping

Consider disabling or restricting NTLM.[11] Consider disabling WDigest authentication.[12]

.001 LSASS Memory

Consider disabling or restricting NTLM.[11] Consider disabling WDigest authentication.[12]

.002 Security Account Manager

Consider disabling or restricting NTLM.[11]

.005 Cached Domain Credentials

Consider limiting the number of cached credentials (HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscountvalue)[13]

Enterprise T1542 .005 Pre-OS Boot: TFTP Boot

Follow vendor device hardening best practices to disable unnecessary and unused features and services, avoid using default configurations and passwords, and introduce logging and auditing for detection.

Enterprise T1563 .002 Remote Service Session Hijacking: RDP Hijacking

Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.[14]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.[14]

Enterprise T1053 Scheduled Task/Job

Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. [15]

.002 At

Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. [15]

.005 Scheduled Task

Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. [15]

Enterprise T1553 Subvert Trust Controls

Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. [16]

.004 Install Root Certificate

Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. [16]

Enterprise T1552 Unsecured Credentials

There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:set +o history and set -o history to start logging again;unset HISTFILE being added to a user's .bash_rc file; andln -s /dev/null ~/.bash_history to write commands to /dev/nullinstead.

.003 Bash History

There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:set +o history and set -o history to start logging again;unset HISTFILE being added to a user's .bash_rc file; andln -s /dev/null ~/.bash_history to write commands to /dev/nullinstead.

References