1. Home
  2. Mitigations
  3. Exploit Protection

Exploit Protection

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

ID: M1050
Version: 1.1
Created: 11 June 2019
Last Modified: 20 June 2020
Enterprise Layer
download view

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1212 凭据访问漏洞利用

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior.[1] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring.[2] Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.
Enterprise T1190 利用公开应用程序漏洞

Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.
Enterprise T1203 客户端执行漏洞利用

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [1] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [2] Many of these protections depend on the architecture and target application binary for compatibility.
Enterprise T1068 权限提升漏洞利用

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [1] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [2] Many of these protections depend on the architecture and target application binary for compatibility and may not work for software components targeted for privilege escalation.
Enterprise T1080 污染共享内容

Use utilities that detect or mitigate common features used in exploitation, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET).
Enterprise T1189 浏览器攻击

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [1] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [2] Many of these protections depend on the architecture and target application binary for compatibility.
Enterprise T1218 系统二进制代理执行

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using using trusted binaries to bypass application control.
.010 Regsvr32

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass application control. [3] Identify and block potentially malicious software executed through regsvr32 functionality by using application control [4] tools, like Windows Defender Application Control[5], AppLocker, [6] [7] or Software Restriction Policies [8] where appropriate. [9]
.011 Rundll32

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control.
.015 Electron Applications

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using trusted binaries to bypass application control. Ensure that Electron is updated to the latest version and critical vulnerabilities (such as nodeIntegration bypasses) are patched and cannot be exploited.
Enterprise T1210 远程服务漏洞利用

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [1] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [2] Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.
Enterprise T1211 防御规避漏洞利用

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [1] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [2] Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.

References

  1. Nunez, N. (2017, August 9). Moving Beyond EMET II – Windows Defender Exploit Guard. Retrieved March 12, 2018.
  2. Wikipedia. (2018, January 11). Control-flow integrity. Retrieved March 12, 2018.
  3. National Security Agency. (2016, May 4). Secure Host Baseline EMET. Retrieved June 22, 2016.
  4. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  5. Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019.
  1. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  2. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  3. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved September 12, 2024.
  4. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.