1. Home
  2. Mitigations
  3. Disable or Remove Feature or Program

Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

ID: M1042
Version: 1.1
Created: 11 June 2019
Last Modified: 31 March 2020
Enterprise Layer
download view

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1557 中间人攻击

Disable legacy network protocols that may be used to intercept network traffic if applicable, especially those that are not needed within an environment.
.001 LLMNR/NBT-NS Poisoning and SMB Relay

Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. [1]
.002 ARP Cache Poisoning

Consider disabling updating the ARP cache on gratuitous ARP replies.
Enterprise T1595 .003 主动扫描: Wordlist Scanning

Remove or disable access to any systems, resources, and infrastructure that are not explicitly required to be available externally.
Enterprise T1546 .002 事件触发执行: Screensaver

Use Group Policy to disable screensavers if they are unnecessary.[2]
.014 事件触发执行: Emond

Consider disabling emond by removing the Launch Daemon plist file.
Enterprise T1555 .004 从密码存储中获取凭证: Windows Credential Manager

Consider enabling the "Network access: Do not allow storage of passwords and credentials for network authentication" setting that will prevent network credentials from being stored by the Credential Manager.[3]
Enterprise T1137 办公应用启动

Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing.

Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. [4]
.001 Office Template Macros

Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing.

Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. [4]
Enterprise T1127 可信开发者工具代理执行

Specific developer utilities may not be necessary within a given environment and should be removed if not used.
.001 MSBuild

MSBuild.exe may not be necessary within an environment and should be removed if not being used.
.002 ClickOnce

Disable ClickOnce installations from the internet using the following registry key: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel — Internet:Disabled[5][6]

ClickOnce may not be necessary within an environment and should be disabled if not being used.
Enterprise T1547 .007 启动或登录自动启动执行: Re-opened Applications

This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no.
Enterprise T1059 命令与脚本解释器

Disable or remove any unnecessary or unused shells or interpreters.
.001 PowerShell

It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions.

Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.
.005 Visual Basic

Turn off or restrict access to unneeded VB components.
.007 JavaScript

Turn off or restrict access to unneeded scripting components.
Enterprise T1133 外部远程服务

Disable or block remotely available services that may be unnecessary.
Enterprise T1562 .010 妨碍防御: Downgrade Attack

Consider removing previous versions of tools that are unnecessary to the environment when possible.
Enterprise T1609 容器管理命令

Remove unnecessary tools and software from containers.
Enterprise T1505 服务器软件组件

Consider disabling software components from servers when possible to prevent abuse by adversaries.[7]
.003 Web Shell

Consider disabling functions from web technologies such as PHP’s evaI() that may be abused for web shells.[7]
Enterprise T1552 .005 未加密凭证: Cloud Instance Metadata API

Disable unnecessary metadata services and restrict or disable insecure versions of metadata services that are in use to prevent adversary access.[8]
Enterprise T1221 模板注入

Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents [9], though this setting may not mitigate the Forced Authentication use for this technique.
Enterprise T1205 流量激活

Disable Wake-on-LAN if it is not needed within an environment.
Enterprise T1114 .003 电子邮件收集: Email Forwarding Rule

Consider disabling external email forwarding.[10]
Enterprise T1649 窃取或伪造身份认证证书

Consider disabling old/dangerous authentication protocols (e.g. NTLM), as well as unnecessary certificate features, such as potentially vulnerable AD CS web and other enrollment server roles.[11]
Enterprise T1218 系统二进制代理执行

Many native binaries may not be necessary within a given environment.
.003 CMSTP

CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation).
.004 InstallUtil

InstallUtil may not be necessary within a given environment.
.005 Mshta

Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life.
.007 Msiexec

Consider disabling the AlwaysInstallElevated policy to prevent elevated execution of Windows Installer packages.[12]
.008 Odbcconf

Odbcconf.exe may not be necessary within a given environment.
.009 Regsvcs/Regasm

Regsvcs and Regasm may not be necessary within a given environment.
.012 Verclsid

Consider removing verclsid.exe if it is not necessary within a given environment.
.013 Mavinject

Consider removing mavinject.exe if Microsoft App-V is not used within a given environment.
.014 MMC

MMC may not be necessary within a given environment since it is primarily used by system administrators, not regular users or clients.

.015 Electron Applications

Remove or deny access to unnecessary and potentially vulnerable software and features to prevent abuse by adversaries. Many native binaries may not be necessary within a given environment: for example, consider disabling the Node.js integration in all renderers that display remote content to protect users by limiting adversaries’ power to plant malicious JavaScript within Electron applications.[13]
Enterprise T1046 网络服务发现

Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.
Enterprise T1098 账号操控

Remove unnecessary and potentially abusable authentication and authorization mechanisms where possible.
.001 Additional Cloud Credentials

Remove unnecessary and potentially abusable authentication mechanisms where possible. For example, in Entra ID environments, disable the app password feature unless explicitly required.

.002 Additional Email Delegate Permissions

If email delegation is not required, disable it. In Google Workspace this can be accomplished through the Google Admin console.[14]
.004 SSH Authorized Keys

Disable SSH if it is not necessary on a host or restrict SSH access for specific users/groups using /etc/ssh/sshd_config.
Enterprise T1559 进程间通信

Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. [15][16][17] Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.[18]
.002 Dynamic Data Exchange

Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. [15][16][17] Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.[18]
Enterprise T1021 远程服务

If remote services, such as the ability to make direct connections to cloud virtual machines, are not required, disable these connection types where feasible.
.001 Remote Desktop Protocol

Disable the RDP service if it is unnecessary.
.003 Distributed Component Object Model

Consider disabling DCOM through Dcomcnfg.exe.[19]
.004 SSH

Disable the SSH daemon on systems that do not require it. For macOS ensure Remote Login is disabled under Sharing Preferences.[20]
.005 VNC

Uninstall any VNC server software where not required.
.006 Windows Remote Management

Disable the WinRM service.
.008 Direct Cloud VM Connections

If direct virtual machine connections are not required for administrative use, disable these connection types where feasible.
Enterprise T1563 远程服务会话劫持

Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary.
.001 SSH Hijacking

Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. [21]
.002 RDP Hijacking

Disable the RDP service if it is unnecessary.
Enterprise T1210 远程服务漏洞利用

Minimize available services to only those that are necessary.
Enterprise T1219 远程访问软件

Consider disabling unnecessary remote connection functionality, including both unapproved software installations and specific features built into supported applications.
Enterprise T1611 逃逸至主机

Remove unnecessary tools and software from containers.
Enterprise T1011 通过其他网络介质渗出

Disable WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel in local computer security settings or by group policy if it is not needed within an environment.
.001 Exfiltration Over Bluetooth

Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment.
Enterprise T1091 通过可移动媒体复制

Disable Autorun if it is unnecessary. [22] Disallow or restrict removable media at an organizational policy level if it is not required for business operations. [23]
Enterprise T1092 通过可移动媒体通信

Disable Autoruns if it is unnecessary.[22]
Enterprise T1052 通过物理介质渗出

Disable Autorun if it is unnecessary. [22] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [23]
.001 Exfiltration over USB

Disable Autorun if it is unnecessary. [22] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [23]
Enterprise T1564 .006 隐藏伪装: Run Virtual Instance

Disable Hyper-V if not necessary within a given environment.
.007 隐藏伪装: VBA Stomping

Turn off or restrict access to unneeded VB components.[24]
Enterprise T1553 .005 颠覆信任控制: Mark-of-the-Web Bypass

Consider disabling auto-mounting of disk image files (i.e., .iso, .img, .vhd, and .vhdx). This can be achieved by modifying the Registry values related to the Windows Explorer file associations in order to disable the automatic Explorer "Mount and Burn" dialog for these file extensions. Note: this will not deactivate the mount functionality itself.[25]

References

  1. Metcalf, S. (2016, October 21). Securing Windows Workstations: Developing a Secure Baseline. Retrieved November 17, 2017.
  2. Microsoft. (n.d.). Customizing the Desktop. Retrieved December 5, 2017.
  3. Microsoft. (2016, August 31). Network access: Do not allow storage of passwords and credentials for network authentication. Retrieved November 23, 2020.
  4. Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved July 3, 2017.
  5. Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce Love Story. Retrieved September 9, 2024.
  6. Microsoft. (2023, August 4). Configure the ClickOnce trust prompt behavior. Retrieved September 9, 2024.
  7. Kondratiev, A. (n.d.). Disabling dangerous PHP functions. Retrieved July 26, 2021.
  8. MacCarthaigh, C. (2019, November 19). Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service. Retrieved October 14, 2020.
  9. Microsoft. (n.d.). Enable or disable macros in Office files. Retrieved September 13, 2018.
  10. Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021.
  11. Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022.
  12. Microsoft. (2018, May 31). AlwaysInstallElevated. Retrieved December 14, 2020.
  13. Stack Overflow. (n.d.). Why do I see an "Electron Security Warning" after updating my Electron project to the latest version?. Retrieved March 7, 2024.
  1. Google. (n.d.). Turn Gmail delegation on or off. Retrieved April 1, 2022.
  2. Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.
  3. Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.
  4. Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.
  5. Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018.
  6. Microsoft. (n.d.). Enable or Disable DCOM. Retrieved November 22, 2017.
  7. Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.
  8. Hatch, B. (2004, November 22). SSH and ssh-agent. Retrieved January 8, 2018.
  9. Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016.
  10. Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.
  11. Microsoft. (2020, January 23). How to turn off Visual Basic for Applications when you deploy Office. Retrieved September 17, 2020.
  12. wdormann. (2019, August 29). Disable Windows Explorer file associations for Disc Image Mount. Retrieved April 16, 2022.