Date: May 29, 2025, 5:30:23 AM
Date: Apr 13, 2021, 1:10:22 PM
Editor: Cedric
Name:
Name: MITRE ATT&CK - Enterprise Mitigations
Description:
Description: Enterprise Mitigations from MITRE ATT&CK® © 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
| t | 1 | {} | t | 1 | { |
| 2 | "authors": [ | ||||
| 3 | "MITRE ATT&CK®" | ||||
| 4 | ], | ||||
| 5 | "label": "MITRE ATT&CK - Enterprise Mitigations", | ||||
| 6 | "language": "EN", | ||||
| 7 | "refs": [ | ||||
| 8 | "https://attack.mitre.org/mitigations/enterprise/" | ||||
| 9 | ], | ||||
| 10 | "uuid": "355a1506-4d46-4ace-a044-234ba5cc00e4", | ||||
| 11 | "values": [ | ||||
| 12 | { | ||||
| 13 | "code": "M1036 - Account Use Policies", | ||||
| 14 | "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", | ||||
| 15 | "importance": 0, | ||||
| 16 | "uuid": "5fc7d0fc-e28d-4f7a-a403-7e7bdda88e0d" | ||||
| 17 | }, | ||||
| 18 | { | ||||
| 19 | "code": "M1015 - Active Directory Configuration", | ||||
| 20 | "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", | ||||
| 21 | "importance": 0, | ||||
| 22 | "uuid": "4aa9409f-bf4c-43c4-985b-a1435854c378" | ||||
| 23 | }, | ||||
| 24 | { | ||||
| 25 | "code": "M1049 - Antivirus/Antimalware", | ||||
| 26 | "description": "Use signatures or heuristics to detect malicious software.", | ||||
| 27 | "importance": 0, | ||||
| 28 | "uuid": "26347771-8c53-40f8-8416-de6ebce40d52" | ||||
| 29 | }, | ||||
| 30 | { | ||||
| 31 | "code": "M1013 - Application Developer Guidance", | ||||
| 32 | "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", | ||||
| 33 | "importance": 0, | ||||
| 34 | "uuid": "a45f1b4e-169a-4ce9-b1a8-aa3a06eda460" | ||||
| 35 | }, | ||||
| 36 | { | ||||
| 37 | "code": "M1048 - Application Isolation and Sandboxing", | ||||
| 38 | "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", | ||||
| 39 | "importance": 0, | ||||
| 40 | "uuid": "b01fca12-12d0-498b-a2ea-d6d526094393" | ||||
| 41 | }, | ||||
| 42 | { | ||||
| 43 | "code": "M1047 - Audit", | ||||
| 44 | "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", | ||||
| 45 | "importance": 0, | ||||
| 46 | "uuid": "fe0afbce-14d2-4fc0-b9d9-0ded2d2d46bf" | ||||
| 47 | }, | ||||
| 48 | { | ||||
| 49 | "code": "M1040 - Behavior Prevention on Endpoint", | ||||
| 50 | "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", | ||||
| 51 | "importance": 0, | ||||
| 52 | "uuid": "2d4bd512-601b-428d-8c96-93eb0f8ab270" | ||||
| 53 | }, | ||||
| 54 | { | ||||
| 55 | "code": "M1046 - Boot Integrity", | ||||
| 56 | "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", | ||||
| 57 | "importance": 0, | ||||
| 58 | "uuid": "7b98e144-2052-4365-a644-e439dd0b50f3" | ||||
| 59 | }, | ||||
| 60 | { | ||||
| 61 | "code": "M1045 - Code Signing", | ||||
| 62 | "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", | ||||
| 63 | "importance": 0, | ||||
| 64 | "uuid": "b1bf2dc7-78a8-42d5-8912-3aff922f2c53" | ||||
| 65 | }, | ||||
| 66 | { | ||||
| 67 | "code": "M1043 - Credential Access Protection", | ||||
| 68 | "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", | ||||
| 69 | "importance": 0, | ||||
| 70 | "uuid": "645905d3-2e47-45e8-b61d-35ee230d162c" | ||||
| 71 | }, | ||||
| 72 | { | ||||
| 73 | "code": "M1053 - Data Backup", | ||||
| 74 | "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", | ||||
| 75 | "importance": 0, | ||||
| 76 | "uuid": "f687063a-4811-4782-9e6d-47368554818c" | ||||
| 77 | }, | ||||
| 78 | { | ||||
| 79 | "code": "M1042 - Disable or Remove Feature or Program", | ||||
| 80 | "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", | ||||
| 81 | "importance": 0, | ||||
| 82 | "uuid": "479cf2d6-6772-4b07-9e3d-748c3c64acdd" | ||||
| 83 | }, | ||||
| 84 | { | ||||
| 85 | "code": "M1055 - Do Not Mitigate", | ||||
| 86 | "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", | ||||
| 87 | "importance": 0, | ||||
| 88 | "uuid": "a5927ec6-60da-4367-8e4e-a6db261c2433" | ||||
| 89 | }, | ||||
| 90 | { | ||||
| 91 | "code": "M1041 - Encrypt Sensitive Information", | ||||
| 92 | "description": "Protect sensitive information with strong encryption.", | ||||
| 93 | "importance": 0, | ||||
| 94 | "uuid": "5c4c5b69-fc94-4922-b9a3-c7a621faaca8" | ||||
| 95 | }, | ||||
| 96 | { | ||||
| 97 | "code": "M1039 - Environment Variable Permissions", | ||||
| 98 | "description": "Prevent modification of environment variables by unauthorized users and groups.", | ||||
| 99 | "importance": 0, | ||||
| 100 | "uuid": "2ffd3b45-aa5f-4363-a6e9-c9c8dec111b6" | ||||
| 101 | }, | ||||
| 102 | { | ||||
| 103 | "code": "M1038 - Execution Prevention", | ||||
| 104 | "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", | ||||
| 105 | "importance": 0, | ||||
| 106 | "uuid": "4d4ea32d-ec56-4eba-b22a-0ef3a1946a21" | ||||
| 107 | }, | ||||
| 108 | { | ||||
| 109 | "code": "M1050 - Exploit Protection", | ||||
| 110 | "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", | ||||
| 111 | "importance": 0, | ||||
| 112 | "uuid": "25a8c89c-382f-4431-87ea-3b886e07c1ab" | ||||
| 113 | }, | ||||
| 114 | { | ||||
| 115 | "code": "M1037 - Filter Network Traffic", | ||||
| 116 | "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", | ||||
| 117 | "importance": 0, | ||||
| 118 | "uuid": "c50e3dd7-d87b-498c-892c-d0683c38b1e1" | ||||
| 119 | }, | ||||
| 120 | { | ||||
| 121 | "code": "M1035 - Limit Access to Resource Over Network", | ||||
| 122 | "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", | ||||
| 123 | "importance": 0, | ||||
| 124 | "uuid": "bb516ce1-5241-428b-ad41-ef292ef4b691" | ||||
| 125 | }, | ||||
| 126 | { | ||||
| 127 | "code": "M1034 - Limit Hardware Installation", | ||||
| 128 | "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", | ||||
| 129 | "importance": 0, | ||||
| 130 | "uuid": "ac4469fb-cfa0-4979-8a0e-d5137e1cf750" | ||||
| 131 | }, | ||||
| 132 | { | ||||
| 133 | "code": "M1033 - Limit Software Installation", | ||||
| 134 | "description": "Block users or groups from installing unapproved software.", | ||||
| 135 | "importance": 0, | ||||
| 136 | "uuid": "cdddeaa0-0ff7-4dda-8d8d-2836bd65862f" | ||||
| 137 | }, | ||||
| 138 | { | ||||
| 139 | "code": "M1032 - Multi-factor Authentication", | ||||
| 140 | "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", | ||||
| 141 | "importance": 0, | ||||
| 142 | "uuid": "65bcbe9f-e7cb-4262-b5d4-dddc79bb4740" | ||||
| 143 | }, | ||||
| 144 | { | ||||
| 145 | "code": "M1031 - Network Intrusion Prevention", | ||||
| 146 | "description": "Use intrusion detection signatures to block traffic at network boundaries.", | ||||
| 147 | "importance": 0, | ||||
| 148 | "uuid": "cd1c61bb-0655-4d10-93a8-4f19fe409802" | ||||
| 149 | }, | ||||
| 150 | { | ||||
| 151 | "code": "M1030 - Network Segmentation", | ||||
| 152 | "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", | ||||
| 153 | "importance": 0, | ||||
| 154 | "uuid": "992b2dff-d6d5-4af8-adf6-e05a21c48fcb" | ||||
| 155 | }, | ||||
| 156 | { | ||||
| 157 | "code": "M1028 - Operating System Configuration", | ||||
| 158 | "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", | ||||
| 159 | "importance": 0, | ||||
| 160 | "uuid": "33242a01-d66e-4361-9cd0-6c84e5ed405a" | ||||
| 161 | }, | ||||
| 162 | { | ||||
| 163 | "code": "M1027 - Password Policies", | ||||
| 164 | "description": "Set and enforce secure password policies for accounts.", | ||||
| 165 | "importance": 0, | ||||
| 166 | "uuid": "87f7ae7d-d7af-40e5-8e26-ed046e49ecec" | ||||
| 167 | }, | ||||
| 168 | { | ||||
| 169 | "code": "M1026 - Privileged Account Management", | ||||
| 170 | "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", | ||||
| 171 | "importance": 0, | ||||
| 172 | "uuid": "237dc8eb-d3e8-4561-80c9-d6c10f3101dd" | ||||
| 173 | }, | ||||
| 174 | { | ||||
| 175 | "code": "M1025 - Privileged Process Integrity", | ||||
| 176 | "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", | ||||
| 177 | "importance": 0, | ||||
| 178 | "uuid": "4f82cb16-f43a-4032-bebb-63e901dc669d" | ||||
| 179 | }, | ||||
| 180 | { | ||||
| 181 | "code": "M1029 - Remote Data Storage", | ||||
| 182 | "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", | ||||
| 183 | "importance": 0, | ||||
| 184 | "uuid": "cb442fee-310a-4bd4-a5ac-0607a1132d80" | ||||
| 185 | }, | ||||
| 186 | { | ||||
| 187 | "code": "M1022 - Restrict File and Directory Permissions", | ||||
| 188 | "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", | ||||
| 189 | "importance": 0, | ||||
| 190 | "uuid": "556d2fa4-ec80-4012-8d42-cf2aa003883c" | ||||
| 191 | }, | ||||
| 192 | { | ||||
| 193 | "code": "M1044 - Restrict Library Loading", | ||||
| 194 | "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", | ||||
| 195 | "importance": 0, | ||||
| 196 | "uuid": "81ff3e62-c8a5-437d-90af-a90a77a7240b" | ||||
| 197 | }, | ||||
| 198 | { | ||||
| 199 | "code": "M1024 - Restrict Registry Permissions", | ||||
| 200 | "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", | ||||
| 201 | "importance": 0, | ||||
| 202 | "uuid": "4a464358-5cb8-471b-8f42-b222cff6ee23" | ||||
| 203 | }, | ||||
| 204 | { | ||||
| 205 | "code": "M1021 - Restrict Web-Based Content", | ||||
| 206 | "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", | ||||
| 207 | "importance": 0, | ||||
| 208 | "uuid": "0874d800-bded-4bd1-a5a8-d68f83db734e" | ||||
| 209 | }, | ||||
| 210 | { | ||||
| 211 | "code": "M1054 - Software Configuration", | ||||
| 212 | "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", | ||||
| 213 | "importance": 0, | ||||
| 214 | "uuid": "7a99e33f-0fb4-487a-b965-f19d7c6d0977" | ||||
| 215 | }, | ||||
| 216 | { | ||||
| 217 | "code": "M1020 - SSL/TLS Inspection", | ||||
| 218 | "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", | ||||
| 219 | "importance": 0, | ||||
| 220 | "uuid": "e4cf1546-a2cb-4d8d-8bd2-a88bd60b2fb4" | ||||
| 221 | }, | ||||
| 222 | { | ||||
| 223 | "code": "M1019 - Threat Intelligence Program", | ||||
| 224 | "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", | ||||
| 225 | "importance": 0, | ||||
| 226 | "uuid": "1af3aa74-5d49-4285-a9d1-a15cc9fb84b9" | ||||
| 227 | }, | ||||
| 228 | { | ||||
| 229 | "code": "M1051 - Update Software", | ||||
| 230 | "description": "Perform regular software updates to mitigate exploitation risk.", | ||||
| 231 | "importance": 0, | ||||
| 232 | "uuid": "541d848f-2672-42f6-be1c-6b1b0f76100e" | ||||
| 233 | }, | ||||
| 234 | { | ||||
| 235 | "code": "M1052 - User Account Control", | ||||
| 236 | "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", | ||||
| 237 | "importance": 0, | ||||
| 238 | "uuid": "3d3be1de-7d06-4f89-a8a5-c73e06384f4d" | ||||
| 239 | }, | ||||
| 240 | { | ||||
| 241 | "code": "M1018 - User Account Management", | ||||
| 242 | "description": "Manage the creation, modification, use, and permissions associated to user accounts.", | ||||
| 243 | "importance": 0, | ||||
| 244 | "uuid": "8d1fcda5-0e35-43c8-aab5-2b2bebf97c4c" | ||||
| 245 | }, | ||||
| 246 | { | ||||
| 247 | "code": "M1017 - User Training", | ||||
| 248 | "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", | ||||
| 249 | "importance": 0, | ||||
| 250 | "uuid": "9e318f0b-0864-4150-a50c-6e1118dd69e7" | ||||
| 251 | }, | ||||
| 252 | { | ||||
| 253 | "code": "M1016 - Vulnerability Scanning", | ||||
| 254 | "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", | ||||
| 255 | "importance": 0, | ||||
| 256 | "uuid": "406160f2-9c33-44c2-b1d2-852478fe050d" | ||||
| 257 | } | ||||
| 258 | ], | ||||
| 259 | "version": 6.3 | ||||
| 260 | } |