Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Techniques Addressed by Mitigation
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1098 | .004 | Account Manipulation: SSH Authorized Keys |
Disable SSH if it is not necessary on a host or restrict SSH access for specific users/groups using |
Enterprise | T1547 | .007 | Boot or Logon Autostart Execution: Re-opened Applications |
This feature can be disabled entirely with the following terminal command: |
Enterprise | T1059 | Command and Scripting Interpreter |
Disable or remove any unnecessary or unused shells or interpreters. |
|
.001 | PowerShell |
It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution. |
||
.005 | Visual Basic |
Turn off or restrict access to unneeded VB components. |
||
.007 | JavaScript/JScript |
Turn off or restrict access to unneeded scripting components. |
||
Enterprise | T1092 | Communication Through Removable Media |
Disable Autoruns if it is unnecessary.[1] |
|
Enterprise | T1546 | .002 | Event Triggered Execution: Screensaver |
Use Group Policy to disable screensavers if they are unnecessary.[2] |
.014 | Event Triggered Execution: Emond |
Consider disabling emond by removing the Launch Daemon plist file. |
||
Enterprise | T1011 | .001 | Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth |
Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment. |
Enterprise | T1052 | Exfiltration Over Physical Medium |
Disable Autorun if it is unnecessary. [1] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [3] |
|
.001 | Exfiltration over USB |
Disable Autorun if it is unnecessary. [1] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [3] |
||
Enterprise | T1210 | Exploitation of Remote Services |
Minimize available services to only those that are necessary. |
|
Enterprise | T1133 | External Remote Services |
Disable or block remotely available services that may be unnecessary. |
|
Enterprise | T1564 | .006 | Hide Artifacts: Run Virtual Instance |
Disable Hyper-V if not necessary within a given environment. |
.007 | Hide Artifacts: VBA Stomping |
Turn off or restrict access to unneeded VB components.[4] |
||
Enterprise | T1559 | Inter-Process Communication |
Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. [5][6][7] Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.[8] |
|
.002 | Dynamic Data Exchange |
Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. [5][6][7] Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.[8] |
||
Enterprise | T1557 | Man-in-the-Middle |
Disable legacy network protocols that may be used for MiTM if applicable and they are not needed within an environment. |
|
.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. [9] |
||
.002 | ARP Cache Poisoning |
Consider disabling updating the ARP cache on gratuitous ARP replies. |
||
Enterprise | T1046 | Network Service Scanning |
Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation. |
|
Enterprise | T1137 | Office Application Startup |
Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. [10] |
|
.001 | Office Template Macros |
Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. [10] |
||
Enterprise | T1563 | Remote Service Session Hijacking |
Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary. |
|
.001 | SSH Hijacking |
Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. [11] |
||
.002 | RDP Hijacking |
Disable the RDP service if it is unnecessary. |
||
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Disable the RDP service if it is unnecessary. |
.003 | Remote Services: Distributed Component Object Model |
Consider disabling DCOM through Dcomcnfg.exe.[12] |
||
.004 | Remote Services: SSH |
Disable the SSH daemon on systems that do not require it. |
||
.005 | Remote Services: VNC |
Uninstall any VNC server software where not required. |
||
.006 | Remote Services: Windows Remote Management |
Disable the WinRM service. |
||
Enterprise | T1091 | Replication Through Removable Media |
Disable Autorun if it is unnecessary. [1] Disallow or restrict removable media at an organizational policy level if it is not required for business operations. [3] |
|
Enterprise | T1218 | Signed Binary Proxy Execution |
Many native binaries may not be necessary within a given environment. |
|
.003 | CMSTP |
CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation). |
||
.004 | InstallUtil |
InstallUtil may not be necessary within a given environment. |
||
.005 | Mshta |
Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. |
||
.009 | Regsvcs/Regasm |
Regsvcs and Regasm may not be necessary within a given environment. |
||
.008 | Odbcconf |
Odbcconf.exe may not be necessary within a given environment. |
||
.012 | Verclsid |
Consider removing verclsid.exe if it is not necessary within a given environment. |
||
Enterprise | T1221 | Template Injection |
Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents [13], though this setting may not mitigate the Forced Authentication use for this technique. |
|
Enterprise | T1127 | Trusted Developer Utilities Proxy Execution |
Specific developer utilities may not be necessary within a given environment and should be removed if not used. |
|
.001 | MSBuild |
MSBuild.exe may not be necessary within an environment and should be removed if not being used. |
||
Enterprise | T1552 | .005 | Unsecured Credentials: Cloud Instance Metadata API |
Disable unnecessary metadata services and restrict or disable insecure versions of metadata services that are in use to prevent adversary access.[14] |
References
- Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016.
- Microsoft. (n.d.). Customizing the Desktop. Retrieved December 5, 2017.
- Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.
- Microsoft. (2020, January 23). How to turn off Visual Basic for Applications when you deploy Office. Retrieved September 17, 2020.
- Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.
- Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.
- Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.
- Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018.
- Metcalf, S. (2016, October 21). Securing Windows Workstations: Developing a Secure Baseline. Retrieved November 17, 2017.
- Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved July 3, 2017.
- Hatch, B. (2004, November 22). SSH and ssh-agent. Retrieved January 8, 2018.
- Microsoft. (n.d.). Enable or Disable DCOM. Retrieved November 22, 2017.
- Microsoft. (n.d.). Enable or disable macros in Office files. Retrieved September 13, 2018.
- MacCarthaigh, C. (2019, November 19). Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service. Retrieved October 14, 2020.