Update Software
Perform regular software updates to mitigate exploitation risk.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1546 | 事件触发执行 |
Perform regular software updates to mitigate exploitation risk. |
|
| .010 | AppInit DLLs |
Upgrade to Windows 8 or later and enable secure boot. |
||
| .011 | Application Shimming |
Microsoft released an optional patch update - KB3045645 - that will remove the "auto-elevate" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC. |
||
| Enterprise | T1555 | 从密码存储中获取凭证 |
Perform regular software updates to mitigate exploitation risk. |
|
| .003 | Credentials from Web Browsers |
Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. |
||
| .005 | Password Managers |
Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. |
||
| Enterprise | T1602 | 从配置存储库获取数据 |
Keep system images and software updated and migrate to SNMPv3.[1] |
|
| .001 | SNMP (MIB Dump) |
Keep system images and software updated and migrate to SNMPv3.[1] |
||
| .002 | Network Device Configuration Dump |
Keep system images and software updated and migrate to SNMPv3.[1] |
||
| Enterprise | T1550 | .002 | 使用备用认证材料: Pass the Hash |
Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.[2] |
| Enterprise | T1195 | 供应链破坏 |
A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
|
| .001 | Compromise Software Dependencies and Development Tools |
A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
||
| .002 | Compromise Software Supply Chain |
A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation. |
||
| Enterprise | T1212 | 凭据访问漏洞利用 |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
| Enterprise | T1190 | 利用公开应用程序漏洞 |
Update software regularly by employing patch management for externally exposed applications. |
|
| Enterprise | T1137 | 办公应用启动 |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[3] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[4] |
|
| .003 | Outlook Forms |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[3] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[4] |
||
| .004 | Outlook Home Page |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[3] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[4] |
||
| .005 | Outlook Rules |
For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.[3] Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.[4] |
||
| Enterprise | T1574 | 劫持执行流 |
Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
|
| .002 | DLL Side-Loading |
Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
||
| Enterprise | T1495 | 固件篡改 |
Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities. |
|
| Enterprise | T1203 | 客户端执行漏洞利用 |
Perform regular software updates to mitigate exploitation risk. Keeping software up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities in client software, reducing the risk of successful attacks. |
|
| Enterprise | T1110 | .001 | 暴力破解: Password Guessing |
Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords. |
| Enterprise | T1552 | 未加密凭证 |
Apply patch KB2962486 which prevents credentials from being stored in GPPs.[5][6] |
|
| .006 | Group Policy Preferences |
Apply patch KB2962486 which prevents credentials from being stored in GPPs.[5][6] |
||
| Enterprise | T1068 | 权限提升漏洞利用 |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
| Enterprise | T1176 | 浏览器扩展 |
Ensure operating systems and browsers are using the most current version. |
|
| Enterprise | T1189 | 浏览器攻击 |
Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on. |
|
| Enterprise | T1548 | 滥用权限提升控制机制 |
Perform regular software updates to mitigate exploitation risk. |
|
| .002 | Bypass User Account Control |
Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.[7] |
||
| Enterprise | T1539 | 窃取Web会话Cookie |
Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. |
|
| Enterprise | T1072 | 软件部署工具 |
Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation. |
|
| Enterprise | T1210 | 远程服务漏洞利用 |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
| Enterprise | T1211 | 防御规避漏洞利用 |
Update software regularly by employing patch management for internal enterprise endpoints and servers. |
|
| Enterprise | T1542 | 预操作系统引导 |
Patch the BIOS and EFI as necessary. |
|
| .001 | System Firmware |
Patch the BIOS and EFI as necessary. |
||
| .002 | Component Firmware |
Perform regular firmware updates to mitigate risks of exploitation and/or abuse. |
||
References
- Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
- National Security Agency/Central Security Service Information Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows Event Log Monitoring. Retrieved September 6, 2018.
- Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019.
- Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019.
- Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
- Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.
- UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.