From 29f9384b6a29793bf2b009213af91d57c5ead702 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Mon, 27 Sep 2021 18:42:03 +0200 Subject: [PATCH 01/22] Deployment: Initial commit for mongo export utility --- deployment_scripts/dump_attack_mitigations.py | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 deployment_scripts/dump_attack_mitigations.py diff --git a/deployment_scripts/dump_attack_mitigations.py b/deployment_scripts/dump_attack_mitigations.py new file mode 100644 index 000000000..39885d469 --- /dev/null +++ b/deployment_scripts/dump_attack_mitigations.py @@ -0,0 +1,60 @@ +import argparse + +import pymongo + +parser = argparse.ArgumentParser(description="Export attack mitigations from a database") +parser.add_argument( + "-host", "--mongo_host", default="localhost", help="URL for mongo database.", required=False +) +parser.add_argument( + "-port", + "--mongo_port", + action="store", + default=27017, + type=int, + help="Port for mongo database. Default 27017", + required=False, +) +parser.add_argument( + "-db", + "--database_name", + action="store", + default="monkeyisland", + help="Database name inside of mongo.", + required=False, +) +parser.add_argument( + "-cn", + "--collection_name", + action="store", + default="attack_mitigations", + help="Which collection are we going to export", + required=False, +) +args = parser.parse_args() + + +def connect_to_mongo(mongo_host: str, mongo_port: int, database_name: str) -> pymongo.MongoClient: + client = pymongo.MongoClient(host=mongo_host, port=mongo_port) + database = client.get_database(database_name) + return database + + +def collection_exists(mongodb: pymongo.MongoClient, collection_name: str) -> bool: + collections = mongodb.list_collection_names() + return collection_name in collections + + +def clean_collection(mongodb: pymongo.MongoClient, collection_name: str): + if collection_exists(mongodb, collection_name): + mongodb.drop_collection(collection_name) + + +def main(): + mongodb = connect_to_mongo(args.mongo_host, args.mongo_port, args.database_name) + + clean_collection(mongodb, args.collection_name) + + +if __name__ == "__main__": + main() From 7bcfc6d27adddc857261f9dabea073e36d0f65bb Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Tue, 28 Sep 2021 11:46:32 -0400 Subject: [PATCH 02/22] Deployment: Make dump_attack_mitigations.py executable --- deployment_scripts/dump_attack_mitigations.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 deployment_scripts/dump_attack_mitigations.py diff --git a/deployment_scripts/dump_attack_mitigations.py b/deployment_scripts/dump_attack_mitigations.py old mode 100644 new mode 100755 From 38f50641a55ded53406a8a1cc3d4b3121bc2e951 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Tue, 28 Sep 2021 12:01:16 -0400 Subject: [PATCH 03/22] Deployment: Wrap argument parsing in function --- deployment_scripts/dump_attack_mitigations.py | 63 ++++++++++--------- 1 file changed, 33 insertions(+), 30 deletions(-) diff --git a/deployment_scripts/dump_attack_mitigations.py b/deployment_scripts/dump_attack_mitigations.py index 39885d469..6ca92f8b7 100755 --- a/deployment_scripts/dump_attack_mitigations.py +++ b/deployment_scripts/dump_attack_mitigations.py @@ -2,36 +2,38 @@ import argparse import pymongo -parser = argparse.ArgumentParser(description="Export attack mitigations from a database") -parser.add_argument( - "-host", "--mongo_host", default="localhost", help="URL for mongo database.", required=False -) -parser.add_argument( - "-port", - "--mongo_port", - action="store", - default=27017, - type=int, - help="Port for mongo database. Default 27017", - required=False, -) -parser.add_argument( - "-db", - "--database_name", - action="store", - default="monkeyisland", - help="Database name inside of mongo.", - required=False, -) -parser.add_argument( - "-cn", - "--collection_name", - action="store", - default="attack_mitigations", - help="Which collection are we going to export", - required=False, -) -args = parser.parse_args() + +def parse_args(): + parser = argparse.ArgumentParser(description="Export attack mitigations from a database") + parser.add_argument( + "-host", "--mongo_host", default="localhost", help="URL for mongo database.", required=False + ) + parser.add_argument( + "-port", + "--mongo_port", + action="store", + default=27017, + type=int, + help="Port for mongo database. Default 27017", + required=False, + ) + parser.add_argument( + "-db", + "--database_name", + action="store", + default="monkeyisland", + help="Database name inside of mongo.", + required=False, + ) + parser.add_argument( + "-cn", + "--collection_name", + action="store", + default="attack_mitigations", + help="Which collection are we going to export", + required=False, + ) + return parser.parse_args() def connect_to_mongo(mongo_host: str, mongo_port: int, database_name: str) -> pymongo.MongoClient: @@ -51,6 +53,7 @@ def clean_collection(mongodb: pymongo.MongoClient, collection_name: str): def main(): + args = parse_args() mongodb = connect_to_mongo(args.mongo_host, args.mongo_port, args.database_name) clean_collection(mongodb, args.collection_name) From 82c83858634523d3f19e363702d5d982fdc19c71 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Tue, 28 Sep 2021 12:02:52 -0400 Subject: [PATCH 04/22] Deployment: Reorder functions in dump_attack_mitigations.py --- deployment_scripts/dump_attack_mitigations.py | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/deployment_scripts/dump_attack_mitigations.py b/deployment_scripts/dump_attack_mitigations.py index 6ca92f8b7..573d54d9d 100755 --- a/deployment_scripts/dump_attack_mitigations.py +++ b/deployment_scripts/dump_attack_mitigations.py @@ -3,6 +3,13 @@ import argparse import pymongo +def main(): + args = parse_args() + mongodb = connect_to_mongo(args.mongo_host, args.mongo_port, args.database_name) + + clean_collection(mongodb, args.collection_name) + + def parse_args(): parser = argparse.ArgumentParser(description="Export attack mitigations from a database") parser.add_argument( @@ -42,21 +49,14 @@ def connect_to_mongo(mongo_host: str, mongo_port: int, database_name: str) -> py return database -def collection_exists(mongodb: pymongo.MongoClient, collection_name: str) -> bool: - collections = mongodb.list_collection_names() - return collection_name in collections - - def clean_collection(mongodb: pymongo.MongoClient, collection_name: str): if collection_exists(mongodb, collection_name): mongodb.drop_collection(collection_name) -def main(): - args = parse_args() - mongodb = connect_to_mongo(args.mongo_host, args.mongo_port, args.database_name) - - clean_collection(mongodb, args.collection_name) +def collection_exists(mongodb: pymongo.MongoClient, collection_name: str) -> bool: + collections = mongodb.list_collection_names() + return collection_name in collections if __name__ == "__main__": From 6de33bfd572045ffaef822b4c9eee4d35dfcec9c Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Tue, 28 Sep 2021 14:18:58 -0400 Subject: [PATCH 05/22] Deployment: Import ATT&CK data into mongo --- deployment_scripts/attack_mitigations.py | 65 +++++++++ deployment_scripts/dump_attack_mitigations.py | 125 ++++++++++++++---- 2 files changed, 167 insertions(+), 23 deletions(-) create mode 100644 deployment_scripts/attack_mitigations.py diff --git a/deployment_scripts/attack_mitigations.py b/deployment_scripts/attack_mitigations.py new file mode 100644 index 000000000..95e3a09e6 --- /dev/null +++ b/deployment_scripts/attack_mitigations.py @@ -0,0 +1,65 @@ +from typing import Dict + +from mongoengine import Document, EmbeddedDocument, EmbeddedDocumentField, ListField, StringField +from stix2 import AttackPattern, CourseOfAction + + +class Mitigation(EmbeddedDocument): + name = StringField(required=True) + description = StringField(required=True) + url = StringField() + + @staticmethod + def get_from_stix2_data(mitigation: CourseOfAction): + name = mitigation["name"] + description = mitigation["description"] + url = get_stix2_external_reference_url(mitigation) + return Mitigation(name=name, description=description, url=url) + + +class AttackMitigations(Document): + technique_id = StringField(required=True, primary_key=True) + mitigations = ListField(EmbeddedDocumentField("Mitigation")) + + def add_mitigation(self, mitigation: CourseOfAction): + mitigation_external_ref_id = get_stix2_external_reference_id(mitigation) + if mitigation_external_ref_id.startswith("M"): + self.mitigations.append(Mitigation.get_from_stix2_data(mitigation)) + + def add_no_mitigations_info(self, mitigation: CourseOfAction): + mitigation_external_ref_id = get_stix2_external_reference_id(mitigation) + if mitigation_external_ref_id.startswith("T") and len(self.mitigations) == 0: + mitigation_mongo_object = Mitigation.get_from_stix2_data(mitigation) + mitigation_mongo_object["description"] = mitigation_mongo_object[ + "description" + ].splitlines()[0] + mitigation_mongo_object["url"] = "" + self.mitigations.append(mitigation_mongo_object) + + @staticmethod + def dict_from_stix2_attack_patterns(stix2_dict: Dict[str, AttackPattern]): + return { + key: AttackMitigations.mitigations_from_attack_pattern(attack_pattern) + for key, attack_pattern in stix2_dict.items() + } + + @staticmethod + def mitigations_from_attack_pattern(attack_pattern: AttackPattern): + return AttackMitigations( + technique_id=get_stix2_external_reference_id(attack_pattern), + mitigations=[], + ) + + +def get_stix2_external_reference_url(stix2_data) -> str: + for reference in stix2_data["external_references"]: + if "url" in reference: + return reference["url"] + return "" + + +def get_stix2_external_reference_id(stix2_data) -> str: + for reference in stix2_data["external_references"]: + if reference["source_name"] == "mitre-attack" and "external_id" in reference: + return reference["external_id"] + return "" diff --git a/deployment_scripts/dump_attack_mitigations.py b/deployment_scripts/dump_attack_mitigations.py index 573d54d9d..a8c164ca5 100755 --- a/deployment_scripts/dump_attack_mitigations.py +++ b/deployment_scripts/dump_attack_mitigations.py @@ -1,62 +1,141 @@ import argparse +from pathlib import Path +from typing import Dict, List +import mongoengine import pymongo +from attack_mitigations import AttackMitigations +from bson import json_util +from stix2 import AttackPattern, CourseOfAction, FileSystemSource, Filter + +COLLECTION_NAME = "attack_mitigations" def main(): args = parse_args() - mongodb = connect_to_mongo(args.mongo_host, args.mongo_port, args.database_name) - clean_collection(mongodb, args.collection_name) + set_default_mongo_connection(args.database_name, args.mongo_host, args.mongo_port) + + mongo_client = pymongo.MongoClient(host=args.mongo_host, port=args.mongo_port) + database = mongo_client.get_database(args.database_name) + + clean_collection(database) + populate_attack_mitigations(database, Path(args.cti_repo)) + dump_attack_mitigations(database, Path(args.dump_file_path)) def parse_args(): - parser = argparse.ArgumentParser(description="Export attack mitigations from a database") - parser.add_argument( - "-host", "--mongo_host", default="localhost", help="URL for mongo database.", required=False + parser = argparse.ArgumentParser( + description="Export attack mitigations from a database", + formatter_class=argparse.ArgumentDefaultsHelpFormatter, ) parser.add_argument( - "-port", - "--mongo_port", + "--mongo_host", default="localhost", help="URL for mongo database.", required=False + ) + parser.add_argument( + "--mongo-port", action="store", default=27017, type=int, - help="Port for mongo database. Default 27017", + help="Port for mongo database.", required=False, ) parser.add_argument( - "-db", - "--database_name", + "--database-name", action="store", default="monkeyisland", help="Database name inside of mongo.", required=False, ) parser.add_argument( - "-cn", - "--collection_name", + "--cti-repo", action="store", default="attack_mitigations", - help="Which collection are we going to export", + help="The path to the Cyber Threat Intelligence Repository.", + required=True, + ) + parser.add_argument( + "--dump-file-path", + action="store", + default="./attack_mitigations.json", + help="A file path where the database dump will be saved.", required=False, ) + return parser.parse_args() -def connect_to_mongo(mongo_host: str, mongo_port: int, database_name: str) -> pymongo.MongoClient: - client = pymongo.MongoClient(host=mongo_host, port=mongo_port) - database = client.get_database(database_name) - return database +def set_default_mongo_connection(database_name: str, host: str, port: int): + mongoengine.connect(db=database_name, host=host, port=port) -def clean_collection(mongodb: pymongo.MongoClient, collection_name: str): - if collection_exists(mongodb, collection_name): - mongodb.drop_collection(collection_name) +def clean_collection(database: pymongo.database.Database): + if collection_exists(database, COLLECTION_NAME): + database.drop_collection(COLLECTION_NAME) -def collection_exists(mongodb: pymongo.MongoClient, collection_name: str) -> bool: - collections = mongodb.list_collection_names() - return collection_name in collections +def collection_exists(database: pymongo.database.Database, collection_name: str) -> bool: + return collection_name in database.list_collection_names() + + +def populate_attack_mitigations(database: pymongo.database.Database, cti_repo: Path): + database.create_collection(COLLECTION_NAME) + attack_data_path = cti_repo / "enterprise-attack" + + stix2_mitigations = get_all_mitigations(attack_data_path) + mongo_mitigations = AttackMitigations.dict_from_stix2_attack_patterns( + get_all_attack_techniques(attack_data_path) + ) + mitigation_technique_relationships = get_technique_and_mitigation_relationships( + attack_data_path + ) + for relationship in mitigation_technique_relationships: + mongo_mitigations[relationship["target_ref"]].add_mitigation( + stix2_mitigations[relationship["source_ref"]] + ) + for relationship in mitigation_technique_relationships: + mongo_mitigations[relationship["target_ref"]].add_no_mitigations_info( + stix2_mitigations[relationship["source_ref"]] + ) + for key, mongo_object in mongo_mitigations.items(): + mongo_object.save() + + +def get_all_mitigations(attack_data_path: Path) -> Dict[str, CourseOfAction]: + file_system = FileSystemSource(attack_data_path) + mitigation_filter = [Filter("type", "=", "course-of-action")] + all_mitigations = file_system.query(mitigation_filter) + all_mitigations = {mitigation["id"]: mitigation for mitigation in all_mitigations} + return all_mitigations + + +def get_all_attack_techniques(attack_data_path: Path) -> Dict[str, AttackPattern]: + file_system = FileSystemSource(attack_data_path) + technique_filter = [Filter("type", "=", "attack-pattern")] + all_techniques = file_system.query(technique_filter) + all_techniques = {technique["id"]: technique for technique in all_techniques} + return all_techniques + + +def get_technique_and_mitigation_relationships(attack_data_path: Path) -> List[CourseOfAction]: + file_system = FileSystemSource(attack_data_path) + technique_filter = [ + Filter("type", "=", "relationship"), + Filter("relationship_type", "=", "mitigates"), + ] + all_techniques = file_system.query(technique_filter) + return all_techniques + + +def dump_attack_mitigations(database: pymongo.database.Database, dump_file_path: Path): + if not collection_exists(database, COLLECTION_NAME): + raise Exception(f"Could not find collection: {COLLECTION_NAME}") + + collection = database.get_collection(COLLECTION_NAME) + collection_contents = collection.find() + + with open(dump_file_path, "wb") as jsonfile: + jsonfile.write(json_util.dumps(collection_contents).encode()) if __name__ == "__main__": From 36b13d0db980fac9da5e5d68ded145ee0788f62a Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Wed, 29 Sep 2021 14:35:15 +0200 Subject: [PATCH 06/22] Island: Remove attack-data submodule Removed submodule with its fork. Remove usage of the submodule. Fixed monkey_island.spec Added attack_mitigations dump. Added hook for above file. --- .gitmodules | 3 -- .../cc/services/attack/attack_data | 1 - .../cc/services/attack/mitre_api_interface.py | 38 ------------------- .../cc/setup/mongo/attack_mitigations.json | 1 + .../cc/setup/mongo/database_initializer.py | 19 +--------- monkey/monkey_island/monkey_island.spec | 2 +- .../attack/test_mitre_api_interface.py | 24 +++++++----- 7 files changed, 18 insertions(+), 70 deletions(-) delete mode 160000 monkey/monkey_island/cc/services/attack/attack_data create mode 100644 monkey/monkey_island/cc/setup/mongo/attack_mitigations.json diff --git a/.gitmodules b/.gitmodules index 2fb33dd37..814297e5c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,3 @@ -[submodule "monkey/monkey_island/cc/services/attack/attack_data"] - path = monkey/monkey_island/cc/services/attack/attack_data - url = https://github.com/guardicore/cti [submodule "docs/themes/learn"] path = docs/themes/learn url = https://github.com/guardicode/hugo-theme-learn.git diff --git a/monkey/monkey_island/cc/services/attack/attack_data b/monkey/monkey_island/cc/services/attack/attack_data deleted file mode 160000 index fb8942b1a..000000000 --- a/monkey/monkey_island/cc/services/attack/attack_data +++ /dev/null @@ -1 +0,0 @@ -Subproject commit fb8942b1a10f4e734ed75542f2ccae7cbd72c46d diff --git a/monkey/monkey_island/cc/services/attack/mitre_api_interface.py b/monkey/monkey_island/cc/services/attack/mitre_api_interface.py index 596f4d498..48ecb7c9a 100644 --- a/monkey/monkey_island/cc/services/attack/mitre_api_interface.py +++ b/monkey/monkey_island/cc/services/attack/mitre_api_interface.py @@ -1,42 +1,4 @@ -import os -from typing import Dict, List - -from stix2 import AttackPattern, CourseOfAction, FileSystemSource, Filter - -from monkey_island.cc.server_utils.consts import MONKEY_ISLAND_ABS_PATH - - class MitreApiInterface: - ATTACK_DATA_PATH = os.path.join( - MONKEY_ISLAND_ABS_PATH, "cc", "services", "attack", "attack_data", "enterprise-attack" - ) - - @staticmethod - def get_all_mitigations() -> Dict[str, CourseOfAction]: - file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH) - mitigation_filter = [Filter("type", "=", "course-of-action")] - all_mitigations = file_system.query(mitigation_filter) - all_mitigations = {mitigation["id"]: mitigation for mitigation in all_mitigations} - return all_mitigations - - @staticmethod - def get_all_attack_techniques() -> Dict[str, AttackPattern]: - file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH) - technique_filter = [Filter("type", "=", "attack-pattern")] - all_techniques = file_system.query(technique_filter) - all_techniques = {technique["id"]: technique for technique in all_techniques} - return all_techniques - - @staticmethod - def get_technique_and_mitigation_relationships() -> List[CourseOfAction]: - file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH) - technique_filter = [ - Filter("type", "=", "relationship"), - Filter("relationship_type", "=", "mitigates"), - ] - all_techniques = file_system.query(technique_filter) - return all_techniques - @staticmethod def get_stix2_external_reference_id(stix2_data) -> str: for reference in stix2_data["external_references"]: diff --git a/monkey/monkey_island/cc/setup/mongo/attack_mitigations.json b/monkey/monkey_island/cc/setup/mongo/attack_mitigations.json new file mode 100644 index 000000000..d851d2435 --- /dev/null +++ b/monkey/monkey_island/cc/setup/mongo/attack_mitigations.json @@ -0,0 +1 @@ +[{"_id": "T1066", "mitigations": [{"name": "Indicator Removal from Tools Mitigation", "description": "Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.", "url": ""}]}, {"_id": "T1047", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1156", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1113", "mitigations": [{"name": "Screen Capture Mitigation", "description": "Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1067", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}]}, {"_id": "T1037", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1033", "mitigations": [{"name": "System Owner/User Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1143", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1161", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1150", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1148", "mitigations": [{"name": "Environment Variable Permissions", "description": "Prevent modification of environment variables by unauthorized users and groups.", "url": "https://attack.mitre.org/mitigations/M1039"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1003", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}, {"name": "Credential Access Protection", "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", "url": "https://attack.mitre.org/mitigations/M1043"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1129", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1492", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}]}, {"_id": "T1006", "mitigations": [{"name": "File System Logical Offsets Mitigation", "description": "Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1044", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1171", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1014", "mitigations": [{"name": "Rootkit Mitigation", "description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1501", "mitigations": [{"name": "Limit Software Installation", "description": "Block users or groups from installing unapproved software.", "url": "https://attack.mitre.org/mitigations/M1033"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1514", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1123", "mitigations": [{"name": "Audio Capture Mitigation", "description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.", "url": ""}]}, {"_id": "T1133", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1109", "mitigations": [{"name": "Component Firmware Mitigation", "description": "Prevent adversary access to privileged accounts or access necessary to perform this technique.", "url": ""}]}, {"_id": "T1539", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1099", "mitigations": [{"name": "Timestomp Mitigation", "description": "Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1069", "mitigations": [{"name": "Permission Groups Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1114", "mitigations": [{"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1163", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1025", "mitigations": [{"name": "Data from Removable Media Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1116", "mitigations": [{"name": "Code Signing Mitigation", "description": "Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system. (Citation: NSA MS AppLocker) (Citation: TechNet Trusted Publishers) (Citation: Securelist Digital Certificates)", "url": ""}]}, {"_id": "T1522", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1093", "mitigations": [{"name": "Process Hollowing Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. ", "url": ""}]}, {"_id": "T1172", "mitigations": [{"name": "SSL/TLS Inspection", "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "url": "https://attack.mitre.org/mitigations/M1020"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1178", "mitigations": [{"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}]}, {"_id": "T1013", "mitigations": [{"name": "Port Monitors Mitigation", "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.", "url": ""}]}, {"_id": "T1192", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1489", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1121", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1206", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1063", "mitigations": [{"name": "Security Software Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about local security software, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1080", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1167", "mitigations": []}, {"_id": "T1527", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1180", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1165", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1137", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1089", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1487", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1214", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1119", "mitigations": [{"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1115", "mitigations": [{"name": "Clipboard Data Mitigation", "description": "Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1103", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1007", "mitigations": [{"name": "System Service Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1040", "mitigations": [{"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1017", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1530", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1135", "mitigations": [{"name": "Network Share Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire network share information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1120", "mitigations": [{"name": "Peripheral Device Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1082", "mitigations": [{"name": "System Information Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1071", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1053", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1162", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1176", "mitigations": [{"name": "Limit Software Installation", "description": "Block users or groups from installing unapproved software.", "url": "https://attack.mitre.org/mitigations/M1033"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1106", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1058", "mitigations": [{"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1202", "mitigations": [{"name": "Indirect Command Execution Mitigation", "description": "Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities and file types/locations used to invoke malicious execution.(Citation: SpectorOPs SettingContent-ms Jun 2018)", "url": ""}]}, {"_id": "T1024", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1536", "mitigations": []}, {"_id": "T1091", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "url": "https://attack.mitre.org/mitigations/M1034"}]}, {"_id": "T1005", "mitigations": [{"name": "Data from Local System Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1140", "mitigations": [{"name": "Deobfuscate/Decode Files or Information Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1195", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}]}, {"_id": "T1190", "mitigations": [{"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1219", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1079", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1036", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1055", "mitigations": [{"name": "Behavior Prevention on Endpoint", "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", "url": "https://attack.mitre.org/mitigations/M1040"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1139", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1205", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1503", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1218", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1153", "mitigations": [{"name": "Source Mitigation", "description": "Due to potential legitimate uses of source commands, it's may be difficult to mitigate use of this technique.", "url": ""}]}, {"_id": "T1038", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "url": "https://attack.mitre.org/mitigations/M1044"}]}, {"_id": "T1050", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1010", "mitigations": [{"name": "Application Window Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1032", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "SSL/TLS Inspection", "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "url": "https://attack.mitre.org/mitigations/M1020"}]}, {"_id": "T1062", "mitigations": [{"name": "Hypervisor Mitigation", "description": "Prevent adversary access to privileged accounts necessary to install a hypervisor.", "url": ""}]}, {"_id": "T1182", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1029", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1525", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1004", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1009", "mitigations": [{"name": "Binary Padding Mitigation", "description": "Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1076", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1011", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1131", "mitigations": [{"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}]}, {"_id": "T1181", "mitigations": [{"name": "Extra Window Memory Injection Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1152", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1483", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1185", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1021", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1207", "mitigations": [{"name": "DCShadow Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of AD design features. For example, mitigating specific AD API calls will likely have unintended side effects, such as preventing DC replication from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.", "url": ""}]}, {"_id": "T1107", "mitigations": [{"name": "File Deletion Mitigation", "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1145", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1112", "mitigations": [{"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1491", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1535", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1155", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1217", "mitigations": [{"name": "Browser Bookmark Discovery Mitigation", "description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. For example, mitigating accesses to browser bookmark files will likely have unintended side effects such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1183", "mitigations": [{"name": "Image File Execution Options Injection Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all IFEO will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. (Citation: Microsoft IFEOorMalware July 2015) Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1085", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1031", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1092", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1222", "mitigations": [{"name": "File Permissions Modification Mitigation", "description": "This type of technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.", "url": ""}]}, {"_id": "T1179", "mitigations": [{"name": "Hooking Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all hooking will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1019", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1042", "mitigations": [{"name": "Change Default File Association Mitigation", "description": "Direct mitigation of this technique is not recommended since it is a legitimate function that can be performed by users for software preferences. Follow Microsoft's best practices for file associations. (Citation: MSDN File Associations)", "url": ""}]}, {"_id": "T1117", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1164", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1054", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1108", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1193", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1215", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1101", "mitigations": [{"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}]}, {"_id": "T1177", "mitigations": [{"name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "url": "https://attack.mitre.org/mitigations/M1044"}, {"name": "Credential Access Protection", "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", "url": "https://attack.mitre.org/mitigations/M1043"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1125", "mitigations": [{"name": "Video Capture Mitigation", "description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.", "url": ""}]}, {"_id": "T1144", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1045", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}]}, {"_id": "T1016", "mitigations": [{"name": "System Network Configuration Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about a system's network configuration, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1504", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1198", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1087", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1090", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1059", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1482", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1175", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1020", "mitigations": [{"name": "Automated Exfiltration Mitigation", "description": "Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1070", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1083", "mitigations": [{"name": "File and Directory Discovery Mitigation", "description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1138", "mitigations": [{"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1191", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1188", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1074", "mitigations": [{"name": "Data Staged Mitigation", "description": "Identify system utilities, remote access or third-party tools, users or potentially malicious software that may be used to store compressed or encrypted data in a publicly writeable directory, central location, or commonly used staging directories (e.g. recycle bin) that is indicative of non-standard behavior, and audit and/or block them by using file integrity monitoring tools where appropriate. Consider applying data size limits or blocking file writes of common compression and encryption utilities such as 7zip, RAR, ZIP, or zlib on frequently used staging directories or central locations and monitor attempted violations of those restrictions.", "url": ""}]}, {"_id": "T1049", "mitigations": [{"name": "System Network Connections Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about network connections, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1064", "mitigations": [{"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1051", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1497", "mitigations": [{"name": "Virtualization/Sandbox Evasion Mitigation", "description": "Mitigation of this technique with preventative controls may impact the adversary's decision process depending on what they're looking for, how they use the information, and what their objectives are. Since it may be difficult to mitigate all aspects of information that could be gathered, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.", "url": ""}]}, {"_id": "T1102", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}]}, {"_id": "T1104", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1480", "mitigations": [{"name": "Do Not Mitigate", "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", "url": "https://attack.mitre.org/mitigations/M1055"}]}, {"_id": "T1528", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1204", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1196", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1057", "mitigations": [{"name": "Process Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1141", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1072", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}]}, {"_id": "T1041", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1060", "mitigations": [{"name": "Registry Run Keys / Startup Folder Mitigation", "description": "Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1023", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1026", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1122", "mitigations": [{"name": "Component Object Model Hijacking Mitigation", "description": "Direct mitigation of this technique may not be recommended for a particular environment since COM objects are a legitimate part of the operating system and installed software. Blocking COM object changes may have unforeseen side effects to legitimate functionality.", "url": ""}]}, {"_id": "T1015", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}]}, {"_id": "T1212", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1210", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1502", "mitigations": []}, {"_id": "T1142", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1534", "mitigations": []}, {"_id": "T1169", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1199", "mitigations": [{"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1149", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1098", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1170", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1048", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1097", "mitigations": [{"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1061", "mitigations": [{"name": "Graphical User Interface Mitigation", "description": "Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.", "url": ""}]}, {"_id": "T1110", "mitigations": [{"name": "Account Use Policies", "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", "url": "https://attack.mitre.org/mitigations/M1036"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1157", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1001", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1039", "mitigations": [{"name": "Data from Network Shared Drive Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1078", "mitigations": [{"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Application Developer Guidance", "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", "url": "https://attack.mitre.org/mitigations/M1013"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1073", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1068", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}]}, {"_id": "T1531", "mitigations": []}, {"_id": "T1208", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1027", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}]}, {"_id": "T1154", "mitigations": [{"name": "Trap Mitigation", "description": "Due to potential legitimate uses of trap commands, it's may be difficult to mitigate use of this technique.", "url": ""}]}, {"_id": "T1201", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1187", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1486", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1488", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1174", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1002", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1081", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1128", "mitigations": [{"name": "Netsh Helper DLL Mitigation", "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by Windows utilities like AppLocker. (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker)", "url": ""}]}, {"_id": "T1056", "mitigations": [{"name": "Input Capture Mitigation", "description": "Identify and block potentially malicious software that may be used to acquire credentials or information from the user by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1203", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1168", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1166", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1100", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1186", "mitigations": [{"name": "Process Doppelg\u00e4nging Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1184", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1095", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1075", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1012", "mitigations": [{"name": "Query Registry Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1030", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1028", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1034", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1506", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1499", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1065", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1197", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1088", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}]}, {"_id": "T1494", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1493", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1132", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1496", "mitigations": [{"name": "Resource Hijacking Mitigation", "description": "Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1147", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1500", "mitigations": [{"name": "Compile After Delivery Mitigation", "description": "This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1223", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1213", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1146", "mitigations": [{"name": "Environment Variable Permissions", "description": "Prevent modification of environment variables by unauthorized users and groups.", "url": "https://attack.mitre.org/mitigations/M1039"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1519", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1194", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1200", "mitigations": [{"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "url": "https://attack.mitre.org/mitigations/M1034"}]}, {"_id": "T1505", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1485", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1537", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1130", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1022", "mitigations": [{"name": "Data Encrypted Mitigation", "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1189", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}]}, {"_id": "T1498", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1158", "mitigations": [{"name": "Hidden Files and Directories Mitigation", "description": "Mitigation of this technique may be difficult and unadvised due to the the legitimate use of hidden files and directories.", "url": ""}]}, {"_id": "T1221", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1134", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1209", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1111", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1159", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1136", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1526", "mitigations": []}, {"_id": "T1151", "mitigations": [{"name": "Space after Filename Mitigation", "description": "Prevent files from having a trailing space after the extension.", "url": ""}]}, {"_id": "T1018", "mitigations": [{"name": "Remote System Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1046", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1518", "mitigations": []}, {"_id": "T1538", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1052", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1105", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1126", "mitigations": [{"name": "Network Share Connection Removal Mitigation", "description": "Follow best practices for mitigation of activity related to establishing [Windows Admin Shares](https://attack.mitre.org/techniques/T1077). ", "url": ""}]}, {"_id": "T1084", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1160", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1484", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1220", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1173", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Behavior Prevention on Endpoint", "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", "url": "https://attack.mitre.org/mitigations/M1040"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1008", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1096", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1124", "mitigations": [{"name": "System Time Discovery Mitigation", "description": "Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.", "url": ""}]}, {"_id": "T1035", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1086", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1495", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}]}, {"_id": "T1490", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1216", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1094", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1118", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1043", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1211", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1127", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1529", "mitigations": []}, {"_id": "T1077", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}] diff --git a/monkey/monkey_island/cc/setup/mongo/database_initializer.py b/monkey/monkey_island/cc/setup/mongo/database_initializer.py index 32e3c8486..4e339aad7 100644 --- a/monkey/monkey_island/cc/setup/mongo/database_initializer.py +++ b/monkey/monkey_island/cc/setup/mongo/database_initializer.py @@ -35,20 +35,5 @@ def _try_store_mitigations_on_mongo(): def _store_mitigations_on_mongo(): - stix2_mitigations = MitreApiInterface.get_all_mitigations() - mongo_mitigations = AttackMitigations.dict_from_stix2_attack_patterns( - MitreApiInterface.get_all_attack_techniques() - ) - mitigation_technique_relationships = ( - MitreApiInterface.get_technique_and_mitigation_relationships() - ) - for relationship in mitigation_technique_relationships: - mongo_mitigations[relationship["target_ref"]].add_mitigation( - stix2_mitigations[relationship["source_ref"]] - ) - for relationship in mitigation_technique_relationships: - mongo_mitigations[relationship["target_ref"]].add_no_mitigations_info( - stix2_mitigations[relationship["source_ref"]] - ) - for key, mongo_object in mongo_mitigations.items(): - mongo_object.save() + # TODO: import attack mitigations + pass diff --git a/monkey/monkey_island/monkey_island.spec b/monkey/monkey_island/monkey_island.spec index 624d08ffa..756b5ae2c 100644 --- a/monkey/monkey_island/monkey_island.spec +++ b/monkey/monkey_island/monkey_island.spec @@ -13,7 +13,7 @@ def main(): # The format of the tuples is (src, dest_dir). See https://pythonhosted.org/PyInstaller/spec-files.html#adding-data-files added_datas = [ ("../common/BUILD", "/common"), - ("../monkey_island/cc/services/attack/attack_data", "/monkey_island/cc/services/attack/attack_data") + ("../monkey_island/cc/services/mongo/attack_mitigations.json", "/monkey_island/cc/services/mongo/attack_mitigations.json") ] a = Analysis(['main.py'], diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py b/monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py index f93afc8d5..24f516198 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py +++ b/monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py @@ -1,14 +1,18 @@ -import pytest +import json +from pathlib import Path -from monkey_island.cc.services.attack.mitre_api_interface import MitreApiInterface +from monkey_island.cc.server_utils.consts import MONKEY_ISLAND_ABS_PATH -@pytest.mark.slow def test_get_all_mitigations(): - mitigations = MitreApiInterface.get_all_mitigations() - assert len(mitigations.items()) >= 282 - mitigation = next(iter(mitigations.values())) - assert mitigation["type"] == "course-of-action" - assert mitigation["name"] is not None - assert mitigation["description"] is not None - assert mitigation["external_references"] is not None + attack_mitigation_path = ( + Path(MONKEY_ISLAND_ABS_PATH) / "cc" / "setup" / "mongo" / "attack_mitigations.json" + ) + + with open(attack_mitigation_path) as mitigations: + mitigations = json.load(mitigations) + assert len(mitigations) >= 266 + mitigation = next(iter(mitigations))["mitigations"][0] + assert mitigation["name"] is not None + assert mitigation["description"] is not None + assert mitigation["url"] is not None From 2a9d9938cd61e629ceff07d1f06ce770f6eeb2ed Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 29 Sep 2021 09:29:36 -0400 Subject: [PATCH 07/22] Deployment: Move dump_attack_mitigations into a subdirectory --- .../{ => dump_attack_mitigations}/attack_mitigations.py | 0 .../{ => dump_attack_mitigations}/dump_attack_mitigations.py | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename deployment_scripts/{ => dump_attack_mitigations}/attack_mitigations.py (100%) rename deployment_scripts/{ => dump_attack_mitigations}/dump_attack_mitigations.py (100%) diff --git a/deployment_scripts/attack_mitigations.py b/deployment_scripts/dump_attack_mitigations/attack_mitigations.py similarity index 100% rename from deployment_scripts/attack_mitigations.py rename to deployment_scripts/dump_attack_mitigations/attack_mitigations.py diff --git a/deployment_scripts/dump_attack_mitigations.py b/deployment_scripts/dump_attack_mitigations/dump_attack_mitigations.py similarity index 100% rename from deployment_scripts/dump_attack_mitigations.py rename to deployment_scripts/dump_attack_mitigations/dump_attack_mitigations.py From c93d5037b27ccfba2261094cbba1f0c1b5296b5d Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 29 Sep 2021 10:05:53 -0400 Subject: [PATCH 08/22] Island: Remove unused attack mitigations import code --- .../cc/models/attack/__init__.py | 1 + .../cc/models/attack/attack_mitigations.py | 38 ++----------------- .../cc/models/attack/mitigation.py | 13 ++----- .../cc/services/attack/mitre_api_interface.py | 14 ------- 4 files changed, 7 insertions(+), 59 deletions(-) delete mode 100644 monkey/monkey_island/cc/services/attack/mitre_api_interface.py diff --git a/monkey/monkey_island/cc/models/attack/__init__.py b/monkey/monkey_island/cc/models/attack/__init__.py index e69de29bb..692107917 100644 --- a/monkey/monkey_island/cc/models/attack/__init__.py +++ b/monkey/monkey_island/cc/models/attack/__init__.py @@ -0,0 +1 @@ +from monkey_island.cc.models.attack.mitigation import Mitigation diff --git a/monkey/monkey_island/cc/models/attack/attack_mitigations.py b/monkey/monkey_island/cc/models/attack/attack_mitigations.py index 9d09aae5a..9c7964863 100644 --- a/monkey/monkey_island/cc/models/attack/attack_mitigations.py +++ b/monkey/monkey_island/cc/models/attack/attack_mitigations.py @@ -1,12 +1,9 @@ -from typing import Dict - from mongoengine import Document, DoesNotExist, EmbeddedDocumentField, ListField, StringField -from stix2 import AttackPattern, CourseOfAction - -from monkey_island.cc.models.attack.mitigation import Mitigation -from monkey_island.cc.services.attack.mitre_api_interface import MitreApiInterface +# Note: This model is duplicated in +# deployment_scripts/dump_attack_mitigations/attack_mitigations.py. If the schema changes here, it +# will also need to be changed there. class AttackMitigations(Document): COLLECTION_NAME = "attack_mitigations" @@ -19,32 +16,3 @@ class AttackMitigations(Document): return AttackMitigations.objects.get(technique_id=technique_id) except DoesNotExist: raise Exception("Attack technique with id {} does not exist!".format(technique_id)) - - def add_mitigation(self, mitigation: CourseOfAction): - mitigation_external_ref_id = MitreApiInterface.get_stix2_external_reference_id(mitigation) - if mitigation_external_ref_id.startswith("M"): - self.mitigations.append(Mitigation.get_from_stix2_data(mitigation)) - - def add_no_mitigations_info(self, mitigation: CourseOfAction): - mitigation_external_ref_id = MitreApiInterface.get_stix2_external_reference_id(mitigation) - if mitigation_external_ref_id.startswith("T") and len(self.mitigations) == 0: - mitigation_mongo_object = Mitigation.get_from_stix2_data(mitigation) - mitigation_mongo_object["description"] = mitigation_mongo_object[ - "description" - ].splitlines()[0] - mitigation_mongo_object["url"] = "" - self.mitigations.append(mitigation_mongo_object) - - @staticmethod - def mitigations_from_attack_pattern(attack_pattern: AttackPattern): - return AttackMitigations( - technique_id=MitreApiInterface.get_stix2_external_reference_id(attack_pattern), - mitigations=[], - ) - - @staticmethod - def dict_from_stix2_attack_patterns(stix2_dict: Dict[str, AttackPattern]): - return { - key: AttackMitigations.mitigations_from_attack_pattern(attack_pattern) - for key, attack_pattern in stix2_dict.items() - } diff --git a/monkey/monkey_island/cc/models/attack/mitigation.py b/monkey/monkey_island/cc/models/attack/mitigation.py index 8a0a1f019..aadc9f48c 100644 --- a/monkey/monkey_island/cc/models/attack/mitigation.py +++ b/monkey/monkey_island/cc/models/attack/mitigation.py @@ -1,17 +1,10 @@ from mongoengine import EmbeddedDocument, StringField -from stix2 import CourseOfAction - -from monkey_island.cc.services.attack.mitre_api_interface import MitreApiInterface +# Note: This model is duplicated in +# deployment_scripts/dump_attack_mitigations/attack_mitigations.py. If the schema changes here, it +# will also need to be changed there. class Mitigation(EmbeddedDocument): name = StringField(required=True) description = StringField(required=True) url = StringField() - - @staticmethod - def get_from_stix2_data(mitigation: CourseOfAction): - name = mitigation["name"] - description = mitigation["description"] - url = MitreApiInterface.get_stix2_external_reference_url(mitigation) - return Mitigation(name=name, description=description, url=url) diff --git a/monkey/monkey_island/cc/services/attack/mitre_api_interface.py b/monkey/monkey_island/cc/services/attack/mitre_api_interface.py deleted file mode 100644 index 48ecb7c9a..000000000 --- a/monkey/monkey_island/cc/services/attack/mitre_api_interface.py +++ /dev/null @@ -1,14 +0,0 @@ -class MitreApiInterface: - @staticmethod - def get_stix2_external_reference_id(stix2_data) -> str: - for reference in stix2_data["external_references"]: - if reference["source_name"] == "mitre-attack" and "external_id" in reference: - return reference["external_id"] - return "" - - @staticmethod - def get_stix2_external_reference_url(stix2_data) -> str: - for reference in stix2_data["external_references"]: - if "url" in reference: - return reference["url"] - return "" From 8c1afcc2b42ca9d8ff5a049f19153346bfd1ff62 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Wed, 29 Sep 2021 19:31:35 +0200 Subject: [PATCH 09/22] Island: Add import attack mitigations Also UTs for reset_database from setup mongo. --- .../cc/setup/mongo/database_initializer.py | 20 +++++- .../mongo_mitigations/attack_mitigations.json | 1 + .../mongo_mitigations/invalid_mitigation | 1 + .../attack/test_mitre_api_interface.py | 18 ------ .../setup/mongo/test_database_initializer.py | 61 +++++++++++++++++++ 5 files changed, 80 insertions(+), 21 deletions(-) create mode 100644 monkey/tests/data_for_tests/mongo_mitigations/attack_mitigations.json create mode 100644 monkey/tests/data_for_tests/mongo_mitigations/invalid_mitigation delete mode 100644 monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py create mode 100644 monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py diff --git a/monkey/monkey_island/cc/setup/mongo/database_initializer.py b/monkey/monkey_island/cc/setup/mongo/database_initializer.py index 4e339aad7..761617a08 100644 --- a/monkey/monkey_island/cc/setup/mongo/database_initializer.py +++ b/monkey/monkey_island/cc/setup/mongo/database_initializer.py @@ -1,14 +1,23 @@ +import json import logging +from pathlib import Path from pymongo import errors from monkey_island.cc.database import mongo from monkey_island.cc.models.attack.attack_mitigations import AttackMitigations -from monkey_island.cc.services.attack.mitre_api_interface import MitreApiInterface from monkey_island.cc.services.database import Database +from monkey_island.cc.server_utils.consts import MONKEY_ISLAND_ABS_PATH logger = logging.getLogger(__name__) +ATTACK_MITIGATION_PATH = ( + Path(MONKEY_ISLAND_ABS_PATH) + / "cc" + / "setup" + / "mongo" + / f"{AttackMitigations.COLLECTION_NAME}.json" +) def reset_database(): Database.reset_db() @@ -35,5 +44,10 @@ def _try_store_mitigations_on_mongo(): def _store_mitigations_on_mongo(): - # TODO: import attack mitigations - pass + try: + with open(ATTACK_MITIGATION_PATH) as f: + file_data = json.load(f) + mongodb_collection = mongo.db[AttackMitigations.COLLECTION_NAME] + mongodb_collection.insert_many(file_data) + except json.decoder.JSONDecodeError as e: + raise Exception(f"Invalid attack mitigations {ATTACK_MITIGATION_PATH} file: {e}") diff --git a/monkey/tests/data_for_tests/mongo_mitigations/attack_mitigations.json b/monkey/tests/data_for_tests/mongo_mitigations/attack_mitigations.json new file mode 100644 index 000000000..dace1ebec --- /dev/null +++ b/monkey/tests/data_for_tests/mongo_mitigations/attack_mitigations.json @@ -0,0 +1 @@ +[{"_id": "T1066", "mitigations": [{"name": "Indicator Removal from Tools Mitigation", "description": "Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.", "url": ""}]}, {"_id": "T1047", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1156", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}] diff --git a/monkey/tests/data_for_tests/mongo_mitigations/invalid_mitigation b/monkey/tests/data_for_tests/mongo_mitigations/invalid_mitigation new file mode 100644 index 000000000..3f18637dc --- /dev/null +++ b/monkey/tests/data_for_tests/mongo_mitigations/invalid_mitigation @@ -0,0 +1 @@ +[{"_id": "T1066", "mitigations": [} diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py b/monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py deleted file mode 100644 index 24f516198..000000000 --- a/monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py +++ /dev/null @@ -1,18 +0,0 @@ -import json -from pathlib import Path - -from monkey_island.cc.server_utils.consts import MONKEY_ISLAND_ABS_PATH - - -def test_get_all_mitigations(): - attack_mitigation_path = ( - Path(MONKEY_ISLAND_ABS_PATH) / "cc" / "setup" / "mongo" / "attack_mitigations.json" - ) - - with open(attack_mitigation_path) as mitigations: - mitigations = json.load(mitigations) - assert len(mitigations) >= 266 - mitigation = next(iter(mitigations))["mitigations"][0] - assert mitigation["name"] is not None - assert mitigation["description"] is not None - assert mitigation["url"] is not None diff --git a/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py b/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py new file mode 100644 index 000000000..5388bdd8e --- /dev/null +++ b/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py @@ -0,0 +1,61 @@ +import json.decoder +from pathlib import Path +from unittest.mock import MagicMock + +import mongomock +import pytest + +from monkey_island.cc.server_utils.consts import MONKEY_ISLAND_ABS_PATH +from monkey_island.cc.setup.mongo.database_initializer import reset_database + + +@pytest.fixture +def fake_mongo(monkeypatch): + mongo = mongomock.MongoClient() + monkeypatch.setattr("monkey_island.cc.setup.mongo.database_initializer.mongo", mongo) + monkeypatch.setattr("monkey_island.cc.services.database.mongo", mongo) + return mongo + + +@pytest.fixture +def fake_config(monkeypatch): + monkeypatch.setattr("monkey_island.cc.services.config.ConfigService.init_config", lambda: None) + monkeypatch.setattr("monkey_island.cc.services.attack.attack_config.AttackConfig.reset_config", lambda: None) + monkeypatch.setattr("monkey_island.cc.services.database.jsonify", MagicMock(return_value=True)) + + +def test_store_mitigations_on_mongo(monkeypatch, data_for_tests_dir, fake_mongo, fake_config): + monkeypatch.setattr( + "monkey_island.cc.setup.mongo.database_initializer.ATTACK_MITIGATION_PATH", + Path(data_for_tests_dir) / "mongo_mitigations" / "attack_mitigations.json", + ) + fake_mongo.db.validate_collection = MagicMock(return_value=True) + reset_database() + + assert len(list(fake_mongo.db.attack_mitigations.find({}))) == 3 + + +def test_store_mitigations_on_mongo__invalid_mitigation( + monkeypatch, data_for_tests_dir, fake_mongo, fake_config +): + monkeypatch.setattr( + "monkey_island.cc.setup.mongo.database_initializer.ATTACK_MITIGATION_PATH", + Path(data_for_tests_dir) / "mongo_mitigations" / "invalid_mitigation", + ) + fake_mongo.db.validate_collection = MagicMock(return_value=True) + with pytest.raises(Exception): + reset_database() + + +def test_get_all_mitigations(): + attack_mitigation_path = ( + Path(MONKEY_ISLAND_ABS_PATH) / "cc" / "setup" / "mongo" / "attack_mitigations.json" + ) + + with open(attack_mitigation_path) as mitigations: + mitigations = json.load(mitigations) + assert len(mitigations) >= 266 + mitigation = next(iter(mitigations))["mitigations"][0] + assert mitigation["name"] is not None + assert mitigation["description"] is not None + assert mitigation["url"] is not None From 45c66fe3093b0e1eb489213d5caed07f1c379c39 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 29 Sep 2021 20:20:24 -0400 Subject: [PATCH 10/22] Deployment: Include metadata in attack mitigations json dump --- .../dump_attack_mitigations.py | 50 +++++++++++++++++-- 1 file changed, 46 insertions(+), 4 deletions(-) diff --git a/deployment_scripts/dump_attack_mitigations/dump_attack_mitigations.py b/deployment_scripts/dump_attack_mitigations/dump_attack_mitigations.py index a8c164ca5..c8e2b064a 100755 --- a/deployment_scripts/dump_attack_mitigations/dump_attack_mitigations.py +++ b/deployment_scripts/dump_attack_mitigations/dump_attack_mitigations.py @@ -1,4 +1,7 @@ import argparse +import json +import subprocess +import time from pathlib import Path from typing import Dict, List @@ -21,7 +24,7 @@ def main(): clean_collection(database) populate_attack_mitigations(database, Path(args.cti_repo)) - dump_attack_mitigations(database, Path(args.dump_file_path)) + dump_attack_mitigations(database, Path(args.cti_repo), Path(args.dump_file_path)) def parse_args(): @@ -127,15 +130,54 @@ def get_technique_and_mitigation_relationships(attack_data_path: Path) -> List[C return all_techniques -def dump_attack_mitigations(database: pymongo.database.Database, dump_file_path: Path): +def dump_attack_mitigations( + database: pymongo.database.Database, cti_repo: Path, dump_file_path: Path +): if not collection_exists(database, COLLECTION_NAME): raise Exception(f"Could not find collection: {COLLECTION_NAME}") + metadata = get_metadata(cti_repo) + data = get_data_from_database(database) + + json_output = f'{{"metadata":{json.dumps(metadata)},"data":{json_util.dumps(data)}}}' + + with open(dump_file_path, "wb") as jsonfile: + jsonfile.write(json_output.encode()) + + +def get_metadata(cti_repo: Path) -> dict: + timestamp = str(time.time()) + commit_hash = get_commit_hash(cti_repo) + origin_url = get_origin_url(cti_repo) + + return {"timestamp": timestamp, "commit_hash": commit_hash, "origin_url": origin_url} + + +def get_commit_hash(cti_repo: Path) -> str: + return run_command(["git", "rev-parse", "--short", "HEAD"], cti_repo).strip() + + +def get_origin_url(cti_repo: Path) -> str: + return run_command(["git", "remote", "get-url", "origin"], cti_repo).strip() + + +def run_command(cmd: List, cwd: Path = None) -> str: + cp = subprocess.run(cmd, capture_output=True, cwd=cwd, encoding="utf-8") + + if cp.returncode != 0: + raise Exception( + f"Error running command -- Command: {cmd} -- Return Code: {cp.returncode} -- stderr: " + f"{cp.stderr}" + ) + + return cp.stdout + + +def get_data_from_database(database: pymongo.database.Database) -> pymongo.cursor.Cursor: collection = database.get_collection(COLLECTION_NAME) collection_contents = collection.find() - with open(dump_file_path, "wb") as jsonfile: - jsonfile.write(json_util.dumps(collection_contents).encode()) + return collection_contents if __name__ == "__main__": From 1748955213b8830bacc84afd2f35a20e6a9c631f Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 29 Sep 2021 20:20:57 -0400 Subject: [PATCH 11/22] Island: Handle metadata in attack mitigations json --- monkey/monkey_island/cc/services/attack/attack_data | 1 + .../monkey_island/cc/setup/mongo/attack_mitigations.json | 2 +- .../monkey_island/cc/setup/mongo/database_initializer.py | 8 ++++++-- .../mongo_mitigations/attack_mitigations.json | 2 +- .../cc/setup/mongo/test_database_initializer.py | 2 +- 5 files changed, 10 insertions(+), 5 deletions(-) create mode 160000 monkey/monkey_island/cc/services/attack/attack_data diff --git a/monkey/monkey_island/cc/services/attack/attack_data b/monkey/monkey_island/cc/services/attack/attack_data new file mode 160000 index 000000000..fb8942b1a --- /dev/null +++ b/monkey/monkey_island/cc/services/attack/attack_data @@ -0,0 +1 @@ +Subproject commit fb8942b1a10f4e734ed75542f2ccae7cbd72c46d diff --git a/monkey/monkey_island/cc/setup/mongo/attack_mitigations.json b/monkey/monkey_island/cc/setup/mongo/attack_mitigations.json index d851d2435..373b55caa 100644 --- a/monkey/monkey_island/cc/setup/mongo/attack_mitigations.json +++ b/monkey/monkey_island/cc/setup/mongo/attack_mitigations.json @@ -1 +1 @@ -[{"_id": "T1066", "mitigations": [{"name": "Indicator Removal from Tools Mitigation", "description": "Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.", "url": ""}]}, {"_id": "T1047", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1156", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1113", "mitigations": [{"name": "Screen Capture Mitigation", "description": "Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1067", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}]}, {"_id": "T1037", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1033", "mitigations": [{"name": "System Owner/User Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1143", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1161", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1150", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1148", "mitigations": [{"name": "Environment Variable Permissions", "description": "Prevent modification of environment variables by unauthorized users and groups.", "url": "https://attack.mitre.org/mitigations/M1039"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1003", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}, {"name": "Credential Access Protection", "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", "url": "https://attack.mitre.org/mitigations/M1043"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1129", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1492", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}]}, {"_id": "T1006", "mitigations": [{"name": "File System Logical Offsets Mitigation", "description": "Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1044", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1171", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1014", "mitigations": [{"name": "Rootkit Mitigation", "description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1501", "mitigations": [{"name": "Limit Software Installation", "description": "Block users or groups from installing unapproved software.", "url": "https://attack.mitre.org/mitigations/M1033"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1514", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1123", "mitigations": [{"name": "Audio Capture Mitigation", "description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.", "url": ""}]}, {"_id": "T1133", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1109", "mitigations": [{"name": "Component Firmware Mitigation", "description": "Prevent adversary access to privileged accounts or access necessary to perform this technique.", "url": ""}]}, {"_id": "T1539", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1099", "mitigations": [{"name": "Timestomp Mitigation", "description": "Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1069", "mitigations": [{"name": "Permission Groups Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1114", "mitigations": [{"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1163", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1025", "mitigations": [{"name": "Data from Removable Media Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1116", "mitigations": [{"name": "Code Signing Mitigation", "description": "Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system. (Citation: NSA MS AppLocker) (Citation: TechNet Trusted Publishers) (Citation: Securelist Digital Certificates)", "url": ""}]}, {"_id": "T1522", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1093", "mitigations": [{"name": "Process Hollowing Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. ", "url": ""}]}, {"_id": "T1172", "mitigations": [{"name": "SSL/TLS Inspection", "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "url": "https://attack.mitre.org/mitigations/M1020"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1178", "mitigations": [{"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}]}, {"_id": "T1013", "mitigations": [{"name": "Port Monitors Mitigation", "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.", "url": ""}]}, {"_id": "T1192", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1489", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1121", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1206", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1063", "mitigations": [{"name": "Security Software Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about local security software, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1080", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1167", "mitigations": []}, {"_id": "T1527", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1180", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1165", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1137", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1089", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1487", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1214", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1119", "mitigations": [{"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1115", "mitigations": [{"name": "Clipboard Data Mitigation", "description": "Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1103", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1007", "mitigations": [{"name": "System Service Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1040", "mitigations": [{"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1017", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1530", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1135", "mitigations": [{"name": "Network Share Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire network share information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1120", "mitigations": [{"name": "Peripheral Device Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1082", "mitigations": [{"name": "System Information Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1071", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1053", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1162", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1176", "mitigations": [{"name": "Limit Software Installation", "description": "Block users or groups from installing unapproved software.", "url": "https://attack.mitre.org/mitigations/M1033"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1106", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1058", "mitigations": [{"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1202", "mitigations": [{"name": "Indirect Command Execution Mitigation", "description": "Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities and file types/locations used to invoke malicious execution.(Citation: SpectorOPs SettingContent-ms Jun 2018)", "url": ""}]}, {"_id": "T1024", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1536", "mitigations": []}, {"_id": "T1091", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "url": "https://attack.mitre.org/mitigations/M1034"}]}, {"_id": "T1005", "mitigations": [{"name": "Data from Local System Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1140", "mitigations": [{"name": "Deobfuscate/Decode Files or Information Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1195", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}]}, {"_id": "T1190", "mitigations": [{"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1219", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1079", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1036", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1055", "mitigations": [{"name": "Behavior Prevention on Endpoint", "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", "url": "https://attack.mitre.org/mitigations/M1040"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1139", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1205", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1503", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1218", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1153", "mitigations": [{"name": "Source Mitigation", "description": "Due to potential legitimate uses of source commands, it's may be difficult to mitigate use of this technique.", "url": ""}]}, {"_id": "T1038", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "url": "https://attack.mitre.org/mitigations/M1044"}]}, {"_id": "T1050", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1010", "mitigations": [{"name": "Application Window Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1032", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "SSL/TLS Inspection", "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "url": "https://attack.mitre.org/mitigations/M1020"}]}, {"_id": "T1062", "mitigations": [{"name": "Hypervisor Mitigation", "description": "Prevent adversary access to privileged accounts necessary to install a hypervisor.", "url": ""}]}, {"_id": "T1182", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1029", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1525", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1004", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1009", "mitigations": [{"name": "Binary Padding Mitigation", "description": "Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1076", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1011", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1131", "mitigations": [{"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}]}, {"_id": "T1181", "mitigations": [{"name": "Extra Window Memory Injection Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1152", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1483", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1185", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1021", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1207", "mitigations": [{"name": "DCShadow Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of AD design features. For example, mitigating specific AD API calls will likely have unintended side effects, such as preventing DC replication from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.", "url": ""}]}, {"_id": "T1107", "mitigations": [{"name": "File Deletion Mitigation", "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1145", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1112", "mitigations": [{"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1491", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1535", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1155", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1217", "mitigations": [{"name": "Browser Bookmark Discovery Mitigation", "description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. For example, mitigating accesses to browser bookmark files will likely have unintended side effects such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1183", "mitigations": [{"name": "Image File Execution Options Injection Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all IFEO will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. (Citation: Microsoft IFEOorMalware July 2015) Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1085", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1031", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1092", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1222", "mitigations": [{"name": "File Permissions Modification Mitigation", "description": "This type of technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.", "url": ""}]}, {"_id": "T1179", "mitigations": [{"name": "Hooking Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all hooking will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1019", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1042", "mitigations": [{"name": "Change Default File Association Mitigation", "description": "Direct mitigation of this technique is not recommended since it is a legitimate function that can be performed by users for software preferences. Follow Microsoft's best practices for file associations. (Citation: MSDN File Associations)", "url": ""}]}, {"_id": "T1117", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1164", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1054", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1108", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1193", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1215", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1101", "mitigations": [{"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}]}, {"_id": "T1177", "mitigations": [{"name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "url": "https://attack.mitre.org/mitigations/M1044"}, {"name": "Credential Access Protection", "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", "url": "https://attack.mitre.org/mitigations/M1043"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1125", "mitigations": [{"name": "Video Capture Mitigation", "description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.", "url": ""}]}, {"_id": "T1144", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1045", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}]}, {"_id": "T1016", "mitigations": [{"name": "System Network Configuration Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about a system's network configuration, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1504", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1198", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1087", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1090", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1059", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1482", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1175", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1020", "mitigations": [{"name": "Automated Exfiltration Mitigation", "description": "Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1070", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1083", "mitigations": [{"name": "File and Directory Discovery Mitigation", "description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1138", "mitigations": [{"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1191", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1188", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1074", "mitigations": [{"name": "Data Staged Mitigation", "description": "Identify system utilities, remote access or third-party tools, users or potentially malicious software that may be used to store compressed or encrypted data in a publicly writeable directory, central location, or commonly used staging directories (e.g. recycle bin) that is indicative of non-standard behavior, and audit and/or block them by using file integrity monitoring tools where appropriate. Consider applying data size limits or blocking file writes of common compression and encryption utilities such as 7zip, RAR, ZIP, or zlib on frequently used staging directories or central locations and monitor attempted violations of those restrictions.", "url": ""}]}, {"_id": "T1049", "mitigations": [{"name": "System Network Connections Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about network connections, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1064", "mitigations": [{"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1051", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1497", "mitigations": [{"name": "Virtualization/Sandbox Evasion Mitigation", "description": "Mitigation of this technique with preventative controls may impact the adversary's decision process depending on what they're looking for, how they use the information, and what their objectives are. Since it may be difficult to mitigate all aspects of information that could be gathered, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.", "url": ""}]}, {"_id": "T1102", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}]}, {"_id": "T1104", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1480", "mitigations": [{"name": "Do Not Mitigate", "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", "url": "https://attack.mitre.org/mitigations/M1055"}]}, {"_id": "T1528", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1204", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1196", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1057", "mitigations": [{"name": "Process Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1141", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1072", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}]}, {"_id": "T1041", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1060", "mitigations": [{"name": "Registry Run Keys / Startup Folder Mitigation", "description": "Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1023", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1026", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1122", "mitigations": [{"name": "Component Object Model Hijacking Mitigation", "description": "Direct mitigation of this technique may not be recommended for a particular environment since COM objects are a legitimate part of the operating system and installed software. Blocking COM object changes may have unforeseen side effects to legitimate functionality.", "url": ""}]}, {"_id": "T1015", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}]}, {"_id": "T1212", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1210", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1502", "mitigations": []}, {"_id": "T1142", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1534", "mitigations": []}, {"_id": "T1169", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1199", "mitigations": [{"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1149", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1098", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1170", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1048", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1097", "mitigations": [{"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1061", "mitigations": [{"name": "Graphical User Interface Mitigation", "description": "Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.", "url": ""}]}, {"_id": "T1110", "mitigations": [{"name": "Account Use Policies", "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", "url": "https://attack.mitre.org/mitigations/M1036"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1157", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1001", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1039", "mitigations": [{"name": "Data from Network Shared Drive Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1078", "mitigations": [{"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Application Developer Guidance", "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", "url": "https://attack.mitre.org/mitigations/M1013"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1073", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1068", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}]}, {"_id": "T1531", "mitigations": []}, {"_id": "T1208", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1027", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}]}, {"_id": "T1154", "mitigations": [{"name": "Trap Mitigation", "description": "Due to potential legitimate uses of trap commands, it's may be difficult to mitigate use of this technique.", "url": ""}]}, {"_id": "T1201", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1187", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1486", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1488", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1174", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1002", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1081", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1128", "mitigations": [{"name": "Netsh Helper DLL Mitigation", "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by Windows utilities like AppLocker. (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker)", "url": ""}]}, {"_id": "T1056", "mitigations": [{"name": "Input Capture Mitigation", "description": "Identify and block potentially malicious software that may be used to acquire credentials or information from the user by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1203", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1168", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1166", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1100", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1186", "mitigations": [{"name": "Process Doppelg\u00e4nging Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1184", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1095", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1075", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1012", "mitigations": [{"name": "Query Registry Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1030", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1028", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1034", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1506", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1499", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1065", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1197", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1088", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}]}, {"_id": "T1494", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1493", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1132", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1496", "mitigations": [{"name": "Resource Hijacking Mitigation", "description": "Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1147", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1500", "mitigations": [{"name": "Compile After Delivery Mitigation", "description": "This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1223", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1213", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1146", "mitigations": [{"name": "Environment Variable Permissions", "description": "Prevent modification of environment variables by unauthorized users and groups.", "url": "https://attack.mitre.org/mitigations/M1039"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1519", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1194", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1200", "mitigations": [{"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "url": "https://attack.mitre.org/mitigations/M1034"}]}, {"_id": "T1505", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1485", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1537", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1130", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1022", "mitigations": [{"name": "Data Encrypted Mitigation", "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1189", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}]}, {"_id": "T1498", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1158", "mitigations": [{"name": "Hidden Files and Directories Mitigation", "description": "Mitigation of this technique may be difficult and unadvised due to the the legitimate use of hidden files and directories.", "url": ""}]}, {"_id": "T1221", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1134", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1209", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1111", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1159", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1136", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1526", "mitigations": []}, {"_id": "T1151", "mitigations": [{"name": "Space after Filename Mitigation", "description": "Prevent files from having a trailing space after the extension.", "url": ""}]}, {"_id": "T1018", "mitigations": [{"name": "Remote System Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1046", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1518", "mitigations": []}, {"_id": "T1538", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1052", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1105", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1126", "mitigations": [{"name": "Network Share Connection Removal Mitigation", "description": "Follow best practices for mitigation of activity related to establishing [Windows Admin Shares](https://attack.mitre.org/techniques/T1077). ", "url": ""}]}, {"_id": "T1084", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1160", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1484", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1220", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1173", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Behavior Prevention on Endpoint", "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", "url": "https://attack.mitre.org/mitigations/M1040"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1008", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1096", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1124", "mitigations": [{"name": "System Time Discovery Mitigation", "description": "Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.", "url": ""}]}, {"_id": "T1035", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1086", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1495", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}]}, {"_id": "T1490", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1216", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1094", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1118", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1043", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1211", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1127", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1529", "mitigations": []}, {"_id": "T1077", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}] +{"metadata":{"timestamp": "1632960960.3763978", "commit_hash": "fb8942b1a", "origin_url": "https://github.com/guardicore/cti.git"},"data":[{"_id": "T1205", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1053", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1118", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1176", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Limit Software Installation", "description": "Block users or groups from installing unapproved software.", "url": "https://attack.mitre.org/mitigations/M1033"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1139", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1160", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1156", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1093", "mitigations": [{"name": "Process Hollowing Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. ", "url": ""}]}, {"_id": "T1180", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1120", "mitigations": [{"name": "Peripheral Device Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1181", "mitigations": [{"name": "Extra Window Memory Injection Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1070", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1124", "mitigations": [{"name": "System Time Discovery Mitigation", "description": "Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.", "url": ""}]}, {"_id": "T1105", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1221", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1100", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1117", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1203", "mitigations": [{"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1102", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1001", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1085", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1003", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Credential Access Protection", "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", "url": "https://attack.mitre.org/mitigations/M1043"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}]}, {"_id": "T1179", "mitigations": [{"name": "Hooking Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all hooking will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1097", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1045", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}]}, {"_id": "T1042", "mitigations": [{"name": "Change Default File Association Mitigation", "description": "Direct mitigation of this technique is not recommended since it is a legitimate function that can be performed by users for software preferences. Follow Microsoft's best practices for file associations. (Citation: MSDN File Associations)", "url": ""}]}, {"_id": "T1090", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1052", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1216", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1502", "mitigations": []}, {"_id": "T1063", "mitigations": [{"name": "Security Software Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about local security software, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1094", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1083", "mitigations": [{"name": "File and Directory Discovery Mitigation", "description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1055", "mitigations": [{"name": "Behavior Prevention on Endpoint", "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", "url": "https://attack.mitre.org/mitigations/M1040"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1487", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1157", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1060", "mitigations": [{"name": "Registry Run Keys / Startup Folder Mitigation", "description": "Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1054", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1530", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1081", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1534", "mitigations": []}, {"_id": "T1010", "mitigations": [{"name": "Application Window Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1178", "mitigations": [{"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}]}, {"_id": "T1044", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1147", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1504", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1048", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1087", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1007", "mitigations": [{"name": "System Service Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1096", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1194", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}]}, {"_id": "T1154", "mitigations": [{"name": "Trap Mitigation", "description": "Due to potential legitimate uses of trap commands, it's may be difficult to mitigate use of this technique.", "url": ""}]}, {"_id": "T1199", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}]}, {"_id": "T1062", "mitigations": [{"name": "Hypervisor Mitigation", "description": "Prevent adversary access to privileged accounts necessary to install a hypervisor.", "url": ""}]}, {"_id": "T1136", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1188", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1175", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1500", "mitigations": [{"name": "Compile After Delivery Mitigation", "description": "This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1088", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1153", "mitigations": [{"name": "Source Mitigation", "description": "Due to potential legitimate uses of source commands, it's may be difficult to mitigate use of this technique.", "url": ""}]}, {"_id": "T1149", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1219", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1012", "mitigations": [{"name": "Query Registry Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1531", "mitigations": []}, {"_id": "T1031", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1018", "mitigations": [{"name": "Remote System Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1187", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1193", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}]}, {"_id": "T1223", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1162", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1519", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1167", "mitigations": []}, {"_id": "T1071", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1078", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Application Developer Guidance", "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", "url": "https://attack.mitre.org/mitigations/M1013"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1074", "mitigations": [{"name": "Data Staged Mitigation", "description": "Identify system utilities, remote access or third-party tools, users or potentially malicious software that may be used to store compressed or encrypted data in a publicly writeable directory, central location, or commonly used staging directories (e.g. recycle bin) that is indicative of non-standard behavior, and audit and/or block them by using file integrity monitoring tools where appropriate. Consider applying data size limits or blocking file writes of common compression and encryption utilities such as 7zip, RAR, ZIP, or zlib on frequently used staging directories or central locations and monitor attempted violations of those restrictions.", "url": ""}]}, {"_id": "T1490", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1029", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1130", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1184", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1486", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1497", "mitigations": [{"name": "Virtualization/Sandbox Evasion Mitigation", "description": "Mitigation of this technique with preventative controls may impact the adversary's decision process depending on what they're looking for, how they use the information, and what their objectives are. Since it may be difficult to mitigate all aspects of information that could be gathered, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.", "url": ""}]}, {"_id": "T1529", "mitigations": []}, {"_id": "T1131", "mitigations": [{"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}]}, {"_id": "T1493", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1059", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1165", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1121", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1539", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1103", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1192", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1098", "mitigations": [{"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1152", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1128", "mitigations": [{"name": "Netsh Helper DLL Mitigation", "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by Windows utilities like AppLocker. (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker)", "url": ""}]}, {"_id": "T1073", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1067", "mitigations": [{"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1183", "mitigations": [{"name": "Image File Execution Options Injection Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all IFEO will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. (Citation: Microsoft IFEOorMalware July 2015) Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1140", "mitigations": [{"name": "Deobfuscate/Decode Files or Information Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1168", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1146", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Environment Variable Permissions", "description": "Prevent modification of environment variables by unauthorized users and groups.", "url": "https://attack.mitre.org/mitigations/M1039"}]}, {"_id": "T1030", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1217", "mitigations": [{"name": "Browser Bookmark Discovery Mitigation", "description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. For example, mitigating accesses to browser bookmark files will likely have unintended side effects such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1190", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1049", "mitigations": [{"name": "System Network Connections Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about network connections, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1514", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1172", "mitigations": [{"name": "SSL/TLS Inspection", "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "url": "https://attack.mitre.org/mitigations/M1020"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1518", "mitigations": []}, {"_id": "T1528", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1056", "mitigations": [{"name": "Input Capture Mitigation", "description": "Identify and block potentially malicious software that may be used to acquire credentials or information from the user by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1111", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1159", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1024", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1201", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1014", "mitigations": [{"name": "Rootkit Mitigation", "description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1021", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1215", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1189", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1492", "mitigations": [{"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1142", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1115", "mitigations": [{"name": "Clipboard Data Mitigation", "description": "Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1046", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1119", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}]}, {"_id": "T1170", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1214", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1212", "mitigations": [{"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1125", "mitigations": [{"name": "Video Capture Mitigation", "description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.", "url": ""}]}, {"_id": "T1538", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1035", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1016", "mitigations": [{"name": "System Network Configuration Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about a system's network configuration, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1161", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1019", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1186", "mitigations": [{"name": "Process Doppelg\u00e4nging Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1057", "mitigations": [{"name": "Process Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1069", "mitigations": [{"name": "Permission Groups Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1197", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1134", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1091", "mitigations": [{"name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "url": "https://attack.mitre.org/mitigations/M1034"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1013", "mitigations": [{"name": "Port Monitors Mitigation", "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.", "url": ""}]}, {"_id": "T1171", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1133", "mitigations": [{"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1076", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1122", "mitigations": [{"name": "Component Object Model Hijacking Mitigation", "description": "Direct mitigation of this technique may not be recommended for a particular environment since COM objects are a legitimate part of the operating system and installed software. Blocking COM object changes may have unforeseen side effects to legitimate functionality.", "url": ""}]}, {"_id": "T1164", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1494", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1210", "mitigations": [{"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}]}, {"_id": "T1033", "mitigations": [{"name": "System Owner/User Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1505", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1047", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1008", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1034", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1135", "mitigations": [{"name": "Network Share Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire network share information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1483", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}]}, {"_id": "T1009", "mitigations": [{"name": "Binary Padding Mitigation", "description": "Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1195", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}]}, {"_id": "T1211", "mitigations": [{"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1099", "mitigations": [{"name": "Timestomp Mitigation", "description": "Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1143", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1222", "mitigations": [{"name": "File Permissions Modification Mitigation", "description": "This type of technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.", "url": ""}]}, {"_id": "T1039", "mitigations": [{"name": "Data from Network Shared Drive Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1173", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Behavior Prevention on Endpoint", "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", "url": "https://attack.mitre.org/mitigations/M1040"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1075", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}]}, {"_id": "T1491", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1174", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1209", "mitigations": [{"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1525", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1107", "mitigations": [{"name": "File Deletion Mitigation", "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1032", "mitigations": [{"name": "SSL/TLS Inspection", "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "url": "https://attack.mitre.org/mitigations/M1020"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1086", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1527", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}]}, {"_id": "T1126", "mitigations": [{"name": "Network Share Connection Removal Mitigation", "description": "Follow best practices for mitigation of activity related to establishing [Windows Admin Shares](https://attack.mitre.org/techniques/T1077). ", "url": ""}]}, {"_id": "T1058", "mitigations": [{"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1158", "mitigations": [{"name": "Hidden Files and Directories Mitigation", "description": "Mitigation of this technique may be difficult and unadvised due to the the legitimate use of hidden files and directories.", "url": ""}]}, {"_id": "T1072", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1068", "mitigations": [{"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1482", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1017", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1155", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1092", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1123", "mitigations": [{"name": "Audio Capture Mitigation", "description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.", "url": ""}]}, {"_id": "T1489", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1526", "mitigations": []}, {"_id": "T1200", "mitigations": [{"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "url": "https://attack.mitre.org/mitigations/M1034"}]}, {"_id": "T1501", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Limit Software Installation", "description": "Block users or groups from installing unapproved software.", "url": "https://attack.mitre.org/mitigations/M1033"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1145", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1220", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1041", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1011", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1169", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1077", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1484", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1522", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1020", "mitigations": [{"name": "Automated Exfiltration Mitigation", "description": "Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1050", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1198", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1150", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1132", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1108", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1503", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1028", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1043", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1218", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1006", "mitigations": [{"name": "File System Logical Offsets Mitigation", "description": "Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1064", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1166", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1191", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1177", "mitigations": [{"name": "Credential Access Protection", "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", "url": "https://attack.mitre.org/mitigations/M1043"}, {"name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "url": "https://attack.mitre.org/mitigations/M1044"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1095", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1213", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1163", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1204", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1114", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1113", "mitigations": [{"name": "Screen Capture Mitigation", "description": "Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1015", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1110", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Account Use Policies", "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", "url": "https://attack.mitre.org/mitigations/M1036"}]}, {"_id": "T1036", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1127", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1148", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Environment Variable Permissions", "description": "Prevent modification of environment variables by unauthorized users and groups.", "url": "https://attack.mitre.org/mitigations/M1039"}]}, {"_id": "T1196", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1079", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1038", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "url": "https://attack.mitre.org/mitigations/M1044"}]}, {"_id": "T1040", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1080", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1084", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1137", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1537", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1144", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1027", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}]}, {"_id": "T1536", "mitigations": []}, {"_id": "T1480", "mitigations": [{"name": "Do Not Mitigate", "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", "url": "https://attack.mitre.org/mitigations/M1055"}]}, {"_id": "T1104", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1535", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1151", "mitigations": [{"name": "Space after Filename Mitigation", "description": "Prevent files from having a trailing space after the extension.", "url": ""}]}, {"_id": "T1495", "mitigations": [{"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1202", "mitigations": [{"name": "Indirect Command Execution Mitigation", "description": "Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities and file types/locations used to invoke malicious execution.(Citation: SpectorOPs SettingContent-ms Jun 2018)", "url": ""}]}, {"_id": "T1082", "mitigations": [{"name": "System Information Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1496", "mitigations": [{"name": "Resource Hijacking Mitigation", "description": "Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1037", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1022", "mitigations": [{"name": "Data Encrypted Mitigation", "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1004", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1206", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1005", "mitigations": [{"name": "Data from Local System Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1129", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1061", "mitigations": [{"name": "Graphical User Interface Mitigation", "description": "Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.", "url": ""}]}, {"_id": "T1002", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1065", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1089", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1485", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1112", "mitigations": [{"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1499", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1185", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1101", "mitigations": [{"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}]}, {"_id": "T1182", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1109", "mitigations": [{"name": "Component Firmware Mitigation", "description": "Prevent adversary access to privileged accounts or access necessary to perform this technique.", "url": ""}]}, {"_id": "T1488", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1026", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1207", "mitigations": [{"name": "DCShadow Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of AD design features. For example, mitigating specific AD API calls will likely have unintended side effects, such as preventing DC replication from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.", "url": ""}]}, {"_id": "T1506", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1051", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1141", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1208", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1023", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1116", "mitigations": [{"name": "Code Signing Mitigation", "description": "Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system. (Citation: NSA MS AppLocker) (Citation: TechNet Trusted Publishers) (Citation: Securelist Digital Certificates)", "url": ""}]}, {"_id": "T1138", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}]}, {"_id": "T1106", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1498", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1025", "mitigations": [{"name": "Data from Removable Media Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1066", "mitigations": [{"name": "Indicator Removal from Tools Mitigation", "description": "Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.", "url": ""}]}]} diff --git a/monkey/monkey_island/cc/setup/mongo/database_initializer.py b/monkey/monkey_island/cc/setup/mongo/database_initializer.py index 761617a08..055614407 100644 --- a/monkey/monkey_island/cc/setup/mongo/database_initializer.py +++ b/monkey/monkey_island/cc/setup/mongo/database_initializer.py @@ -1,6 +1,7 @@ import json import logging from pathlib import Path +from pprint import pformat from pymongo import errors @@ -46,8 +47,11 @@ def _try_store_mitigations_on_mongo(): def _store_mitigations_on_mongo(): try: with open(ATTACK_MITIGATION_PATH) as f: - file_data = json.load(f) + attack_mitigations = json.load(f) + + logger.debug(f'Loading attack mitigations data:\n{pformat(attack_mitigations["metadata"])}') + mongodb_collection = mongo.db[AttackMitigations.COLLECTION_NAME] - mongodb_collection.insert_many(file_data) + mongodb_collection.insert_many(attack_mitigations["data"]) except json.decoder.JSONDecodeError as e: raise Exception(f"Invalid attack mitigations {ATTACK_MITIGATION_PATH} file: {e}") diff --git a/monkey/tests/data_for_tests/mongo_mitigations/attack_mitigations.json b/monkey/tests/data_for_tests/mongo_mitigations/attack_mitigations.json index dace1ebec..274b5ac75 100644 --- a/monkey/tests/data_for_tests/mongo_mitigations/attack_mitigations.json +++ b/monkey/tests/data_for_tests/mongo_mitigations/attack_mitigations.json @@ -1 +1 @@ -[{"_id": "T1066", "mitigations": [{"name": "Indicator Removal from Tools Mitigation", "description": "Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.", "url": ""}]}, {"_id": "T1047", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1156", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}] +{"metadata":{"timestamp": "1632959947.9542503", "commit_hash": "fb8942b1a", "origin_url": "https://github.com/guardicore/cti.git"},"data":[{"_id": "T1066", "mitigations": [{"name": "Indicator Removal from Tools Mitigation", "description": "Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.", "url": ""}]}, {"_id": "T1047", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1156", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}]} diff --git a/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py b/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py index 5388bdd8e..2557a4d9c 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py +++ b/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py @@ -53,7 +53,7 @@ def test_get_all_mitigations(): ) with open(attack_mitigation_path) as mitigations: - mitigations = json.load(mitigations) + mitigations = json.load(mitigations)["data"] assert len(mitigations) >= 266 mitigation = next(iter(mitigations))["mitigations"][0] assert mitigation["name"] is not None From 9ea5a56abdbbd46b63e493ed9c1fcdbd230654c4 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Thu, 30 Sep 2021 10:09:47 +0200 Subject: [PATCH 12/22] UT: Fix database_initializer test --- .../setup/mongo/test_database_initializer.py | 25 +++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py b/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py index 2557a4d9c..ed20c5ea0 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py +++ b/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py @@ -1,11 +1,9 @@ -import json.decoder from pathlib import Path from unittest.mock import MagicMock import mongomock import pytest -from monkey_island.cc.server_utils.consts import MONKEY_ISLAND_ABS_PATH from monkey_island.cc.setup.mongo.database_initializer import reset_database @@ -47,15 +45,16 @@ def test_store_mitigations_on_mongo__invalid_mitigation( reset_database() -def test_get_all_mitigations(): - attack_mitigation_path = ( - Path(MONKEY_ISLAND_ABS_PATH) / "cc" / "setup" / "mongo" / "attack_mitigations.json" - ) +def test_get_all_mitigations(monkeypatch, fake_mongo, fake_config): + fake_mongo.db.validate_collection = MagicMock(return_value=True) - with open(attack_mitigation_path) as mitigations: - mitigations = json.load(mitigations)["data"] - assert len(mitigations) >= 266 - mitigation = next(iter(mitigations))["mitigations"][0] - assert mitigation["name"] is not None - assert mitigation["description"] is not None - assert mitigation["url"] is not None + reset_database() + + mitigations = list(fake_mongo.db.attack_mitigations.find({})) + + assert len(mitigations) >= 266 + + mitigation = mitigations[0]["mitigations"][0] + assert mitigation["name"] is not None + assert mitigation["description"] is not None + assert mitigation["url"] is not None From 1ed6fed164b4087c53381e422dd4a56ac0651422 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Thu, 30 Sep 2021 11:06:09 +0200 Subject: [PATCH 13/22] Island: Remove attack_data submodule --- monkey/monkey_island/cc/services/attack/attack_data | 1 - 1 file changed, 1 deletion(-) delete mode 160000 monkey/monkey_island/cc/services/attack/attack_data diff --git a/monkey/monkey_island/cc/services/attack/attack_data b/monkey/monkey_island/cc/services/attack/attack_data deleted file mode 160000 index fb8942b1a..000000000 --- a/monkey/monkey_island/cc/services/attack/attack_data +++ /dev/null @@ -1 +0,0 @@ -Subproject commit fb8942b1a10f4e734ed75542f2ccae7cbd72c46d From 77c51497d0e2b4aa4781d6ba489552a9ff27f899 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Thu, 30 Sep 2021 11:44:06 +0200 Subject: [PATCH 14/22] docs: Add attack mitigations documentation --- docs/content/reference/attack_mitigations.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 docs/content/reference/attack_mitigations.md diff --git a/docs/content/reference/attack_mitigations.md b/docs/content/reference/attack_mitigations.md new file mode 100644 index 000000000..192b726c2 --- /dev/null +++ b/docs/content/reference/attack_mitigations.md @@ -0,0 +1,19 @@ +--- +title: "ATT&CK Mitigations" +date: 2021-09-30T08:18:37+03:00 +draft: true +pre: ' !! ' +weight: 10 +--- + +{{% notice info %}} +Check out [the documentation for the MITRE ATT&CK techniques as well]({{< ref "/reports/mitre" >}}). +{{% /notice %}} + +Infection Monkey is shipped with pre-existing ATT&CK mitigations located at `monkey/monkey_island/cc/setup/mongo/attack_mitigations.json`. +This allows Monkey Island to be setup faster. + +The `attack_mitigations.json` can be updated by running `monkey/deployment_scripts/dump_attack_mitigations.py` by providing the link to +[Cyber Threat Intelligence Repository](https://github.com/mitre/cti) , mongo host and port information and the dump file location. + +When starting Monkey Island this information is stored in the mongo database almost instantly, making the setup faster. From 43471c655357c4d839b4c18eaa281c9e691388c7 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Thu, 30 Sep 2021 12:53:25 +0200 Subject: [PATCH 15/22] Island: Fix typing error in island spec --- monkey/monkey_island/monkey_island.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monkey/monkey_island/monkey_island.spec b/monkey/monkey_island/monkey_island.spec index 756b5ae2c..80335d346 100644 --- a/monkey/monkey_island/monkey_island.spec +++ b/monkey/monkey_island/monkey_island.spec @@ -13,7 +13,7 @@ def main(): # The format of the tuples is (src, dest_dir). See https://pythonhosted.org/PyInstaller/spec-files.html#adding-data-files added_datas = [ ("../common/BUILD", "/common"), - ("../monkey_island/cc/services/mongo/attack_mitigations.json", "/monkey_island/cc/services/mongo/attack_mitigations.json") + ("../monkey_island/cc/setup/mongo/attack_mitigations.json", "/monkey_island/cc/setup/mongo/attack_mitigations.json") ] a = Analysis(['main.py'], From 6e92c84f892daeb9bf8321e364463e296cbe5ba9 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Thu, 30 Sep 2021 10:18:13 -0400 Subject: [PATCH 16/22] Docs: Move attack mitigations from reference -> development --- docs/content/{reference => development}/attack_mitigations.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/content/{reference => development}/attack_mitigations.md (100%) diff --git a/docs/content/reference/attack_mitigations.md b/docs/content/development/attack_mitigations.md similarity index 100% rename from docs/content/reference/attack_mitigations.md rename to docs/content/development/attack_mitigations.md From 0a3488b6808bcbd953edea7d7e3ce85f0ec0ab39 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Thu, 30 Sep 2021 10:28:45 -0400 Subject: [PATCH 17/22] Deployment: Add requirements.txt for attack mitigations dump script --- .../dump_attack_mitigations/requirements.txt | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 deployment_scripts/dump_attack_mitigations/requirements.txt diff --git a/deployment_scripts/dump_attack_mitigations/requirements.txt b/deployment_scripts/dump_attack_mitigations/requirements.txt new file mode 100644 index 000000000..67893d8d7 --- /dev/null +++ b/deployment_scripts/dump_attack_mitigations/requirements.txt @@ -0,0 +1,13 @@ +antlr4-python3-runtime==4.8 +certifi==2021.5.30 +charset-normalizer==2.0.6 +idna==3.2 +mongoengine==0.23.1 +pymongo==3.12.0 +pytz==2021.1 +requests==2.26.0 +simplejson==3.17.5 +six==1.16.0 +stix2==3.0.1 +stix2-patterns==1.3.2 +urllib3==1.26.7 From f0c25b4b5e7aaf2cc24e4ac387325d952e932fd5 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Thu, 30 Sep 2021 10:33:09 -0400 Subject: [PATCH 18/22] Docs: Add steps to attack mitigations dump script documentation --- .../content/development/attack_mitigations.md | 30 ++++++++++++++----- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/docs/content/development/attack_mitigations.md b/docs/content/development/attack_mitigations.md index 192b726c2..88a585c97 100644 --- a/docs/content/development/attack_mitigations.md +++ b/docs/content/development/attack_mitigations.md @@ -1,8 +1,7 @@ --- -title: "ATT&CK Mitigations" +title: "MITRE ATT&CK Mitigations" date: 2021-09-30T08:18:37+03:00 draft: true -pre: ' !! ' weight: 10 --- @@ -10,10 +9,27 @@ weight: 10 Check out [the documentation for the MITRE ATT&CK techniques as well]({{< ref "/reports/mitre" >}}). {{% /notice %}} -Infection Monkey is shipped with pre-existing ATT&CK mitigations located at `monkey/monkey_island/cc/setup/mongo/attack_mitigations.json`. -This allows Monkey Island to be setup faster. +## Summary -The `attack_mitigations.json` can be updated by running `monkey/deployment_scripts/dump_attack_mitigations.py` by providing the link to -[Cyber Threat Intelligence Repository](https://github.com/mitre/cti) , mongo host and port information and the dump file location. +Infection Monkey is shipped with pre-processed information about MITRE ATT&CK +mitigations located at +`monkey/monkey_island/cc/setup/mongo/attack_mitigations.json`. -When starting Monkey Island this information is stored in the mongo database almost instantly, making the setup faster. +This may need to be periodically updated as the MITRE ATT&CK framework evolves. + + +## Updating the MITRE ATT&CK mitigations data +1. Clone the [MITRE Cyber Threat Intelligence + Repository](https://github.com/mitre/cti) or the [Guardicore + fork](https://github.com/guardicore/cti) + ``` + $ CTI_REPO=$PWD/cti + $ git clone $CTI_REPO + ``` +2. Start a mongodb v4.2 server +3. Run the script to generate the `attack_mitigations.json` file + ``` + $ cd monkey/deployment_scripts/dump_attack_mitigations + $ pip install -r requirements.txt + $ python dump_attack_mitigations.py --cti-repo $CTI_REPO --dump-file-path ../../monkey/monkey_island/cc/setup/mongo/attack_mitigations.json + ``` From fef6350871bd46cbed39d4a074c29975c2c74e03 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Thu, 30 Sep 2021 13:13:26 -0400 Subject: [PATCH 19/22] Tests: Reduced code duplication in database initializer tests --- .../setup/mongo/test_database_initializer.py | 67 +++++++++++-------- 1 file changed, 38 insertions(+), 29 deletions(-) diff --git a/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py b/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py index ed20c5ea0..d3ca3fbcc 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py +++ b/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py @@ -1,4 +1,3 @@ -from pathlib import Path from unittest.mock import MagicMock import mongomock @@ -8,49 +7,59 @@ from monkey_island.cc.setup.mongo.database_initializer import reset_database @pytest.fixture -def fake_mongo(monkeypatch): - mongo = mongomock.MongoClient() - monkeypatch.setattr("monkey_island.cc.setup.mongo.database_initializer.mongo", mongo) - monkeypatch.setattr("monkey_island.cc.services.database.mongo", mongo) - return mongo +def patch_attack_mitigations_path(monkeypatch, data_for_tests_dir): + def inner(file_name): + path = data_for_tests_dir / "mongo_mitigations" / file_name + monkeypatch.setattr( + "monkey_island.cc.setup.mongo.database_initializer.ATTACK_MITIGATION_PATH", path + ) + + return inner + + +@pytest.fixture(scope="module", autouse=True) +def patch_dependencies(monkeypatch_session): + monkeypatch_session.setattr( + "monkey_island.cc.services.config.ConfigService.init_config", lambda: None + ) + monkeypatch_session.setattr( + "monkey_island.cc.services.attack.attack_config.AttackConfig.reset_config", lambda: None + ) + monkeypatch_session.setattr( + "monkey_island.cc.services.database.jsonify", MagicMock(return_value=True) + ) @pytest.fixture -def fake_config(monkeypatch): - monkeypatch.setattr("monkey_island.cc.services.config.ConfigService.init_config", lambda: None) - monkeypatch.setattr("monkey_island.cc.services.attack.attack_config.AttackConfig.reset_config", lambda: None) - monkeypatch.setattr("monkey_island.cc.services.database.jsonify", MagicMock(return_value=True)) +def mock_mongo_client(monkeypatch): + mongo = mongomock.MongoClient() + mongo.db.validate_collection = MagicMock(return_value=True) + + monkeypatch.setattr("monkey_island.cc.setup.mongo.database_initializer.mongo", mongo) + monkeypatch.setattr("monkey_island.cc.services.database.mongo", mongo) + + return mongo -def test_store_mitigations_on_mongo(monkeypatch, data_for_tests_dir, fake_mongo, fake_config): - monkeypatch.setattr( - "monkey_island.cc.setup.mongo.database_initializer.ATTACK_MITIGATION_PATH", - Path(data_for_tests_dir) / "mongo_mitigations" / "attack_mitigations.json", - ) - fake_mongo.db.validate_collection = MagicMock(return_value=True) +def test_store_mitigations_on_mongo(patch_attack_mitigations_path, mock_mongo_client): + patch_attack_mitigations_path("attack_mitigations.json") + reset_database() - assert len(list(fake_mongo.db.attack_mitigations.find({}))) == 3 + assert len(list(mock_mongo_client.db.attack_mitigations.find({}))) == 3 -def test_store_mitigations_on_mongo__invalid_mitigation( - monkeypatch, data_for_tests_dir, fake_mongo, fake_config -): - monkeypatch.setattr( - "monkey_island.cc.setup.mongo.database_initializer.ATTACK_MITIGATION_PATH", - Path(data_for_tests_dir) / "mongo_mitigations" / "invalid_mitigation", - ) - fake_mongo.db.validate_collection = MagicMock(return_value=True) +def test_store_mitigations_on_mongo__invalid_mitigation(patch_attack_mitigations_path): + patch_attack_mitigations_path("invalid_mitigation") + with pytest.raises(Exception): reset_database() -def test_get_all_mitigations(monkeypatch, fake_mongo, fake_config): - fake_mongo.db.validate_collection = MagicMock(return_value=True) - +def test_get_all_mitigations(mock_mongo_client): reset_database() - mitigations = list(fake_mongo.db.attack_mitigations.find({})) + mitigations = list(mock_mongo_client.db.attack_mitigations.find({})) assert len(mitigations) >= 266 From c30d5721f2c4fdf43b371a517dcce38f7d30f296 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Thu, 30 Sep 2021 14:08:29 -0400 Subject: [PATCH 20/22] Island: Fix formatting of database_initializer.py --- monkey/monkey_island/cc/setup/mongo/database_initializer.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/monkey/monkey_island/cc/setup/mongo/database_initializer.py b/monkey/monkey_island/cc/setup/mongo/database_initializer.py index 055614407..9a6054ca4 100644 --- a/monkey/monkey_island/cc/setup/mongo/database_initializer.py +++ b/monkey/monkey_island/cc/setup/mongo/database_initializer.py @@ -7,8 +7,8 @@ from pymongo import errors from monkey_island.cc.database import mongo from monkey_island.cc.models.attack.attack_mitigations import AttackMitigations -from monkey_island.cc.services.database import Database from monkey_island.cc.server_utils.consts import MONKEY_ISLAND_ABS_PATH +from monkey_island.cc.services.database import Database logger = logging.getLogger(__name__) @@ -20,6 +20,7 @@ ATTACK_MITIGATION_PATH = ( / f"{AttackMitigations.COLLECTION_NAME}.json" ) + def reset_database(): Database.reset_db() if Database.is_mitigations_missing(): From 9436f5f5e13b3d0afd41ffbeff67b93ca6cb517b Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Fri, 1 Oct 2021 07:55:33 -0400 Subject: [PATCH 21/22] Island: Remove stix2 dependency --- monkey/monkey_island/Pipfile | 1 - monkey/monkey_island/Pipfile.lock | 413 +++++++++--------- .../pyinstaller_hooks/hook-stix2.py | 9 - 3 files changed, 202 insertions(+), 221 deletions(-) delete mode 100644 monkey/monkey_island/pyinstaller_hooks/hook-stix2.py diff --git a/monkey/monkey_island/Pipfile b/monkey/monkey_island/Pipfile index da0ea19d3..f57407160 100644 --- a/monkey/monkey_island/Pipfile +++ b/monkey/monkey_island/Pipfile @@ -20,7 +20,6 @@ pycryptodome = "==3.9.8" python-dateutil = "<3.0.0,>=2.1" requests = ">=2.24" ring = ">=0.7.3" -stix2 = ">=2.0.2" six = ">=1.13.0" tqdm = ">=4.47" Flask-JWT-Extended = "==4.*" diff --git a/monkey/monkey_island/Pipfile.lock b/monkey/monkey_island/Pipfile.lock index 4501a5cf5..5fbd9a39d 100644 --- a/monkey/monkey_island/Pipfile.lock +++ b/monkey/monkey_island/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "9857728597cb9daa816ac6e5cf7a86ae1c86c8e56c68d8d0551f57845124a562" + "sha256": "8d64d81ac872383366db0e261649783cc60ee03cbaf7d41ae27239bdc4300a91" }, "pipfile-spec": 6, "requires": { @@ -30,13 +30,6 @@ ], "version": "==9.0.1" }, - "antlr4-python3-runtime": { - "hashes": [ - "sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33" - ], - "markers": "python_version >= '3'", - "version": "==4.8" - }, "asyncio-throttle": { "hashes": [ "sha256:a01a56f3671e961253cf262918f3e0741e222fc50d57d981ba5c801f284eccfe" @@ -192,7 +185,7 @@ "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff", "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "markers": "platform_system == 'Windows' and sys_platform == 'win32' and platform_system == 'Windows'", "version": "==0.4.3" }, "coloredlogs": { @@ -204,28 +197,29 @@ }, "cryptography": { "hashes": [ - "sha256:0a7dcbcd3f1913f664aca35d47c1331fce738d44ec34b7be8b9d332151b0b01e", - "sha256:1eb7bb0df6f6f583dd8e054689def236255161ebbcf62b226454ab9ec663746b", - "sha256:21ca464b3a4b8d8e86ba0ee5045e103a1fcfac3b39319727bc0fc58c09c6aff7", - "sha256:34dae04a0dce5730d8eb7894eab617d8a70d0c97da76b905de9efb7128ad7085", - "sha256:3520667fda779eb788ea00080124875be18f2d8f0848ec00733c0ec3bb8219fc", - "sha256:3c4129fc3fdc0fa8e40861b5ac0c673315b3c902bbdc05fc176764815b43dd1d", - "sha256:3fa3a7ccf96e826affdf1a0a9432be74dc73423125c8f96a909e3835a5ef194a", - "sha256:5b0fbfae7ff7febdb74b574055c7466da334a5371f253732d7e2e7525d570498", - "sha256:695104a9223a7239d155d7627ad912953b540929ef97ae0c34c7b8bf30857e89", - "sha256:8695456444f277af73a4877db9fc979849cd3ee74c198d04fc0776ebc3db52b9", - "sha256:94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c", - "sha256:94fff993ee9bc1b2440d3b7243d488c6a3d9724cc2b09cdb297f6a886d040ef7", - "sha256:9965c46c674ba8cc572bc09a03f4c649292ee73e1b683adb1ce81e82e9a6a0fb", - "sha256:a00cf305f07b26c351d8d4e1af84ad7501eca8a342dedf24a7acb0e7b7406e14", - "sha256:a305600e7a6b7b855cd798e00278161b681ad6e9b7eca94c721d5f588ab212af", - "sha256:cd65b60cfe004790c795cc35f272e41a3df4631e2fb6b35aa7ac6ef2859d554e", - "sha256:d2a6e5ef66503da51d2110edf6c403dc6b494cc0082f85db12f54e9c5d4c3ec5", - "sha256:d9ec0e67a14f9d1d48dd87a2531009a9b251c02ea42851c060b25c782516ff06", - "sha256:f44d141b8c4ea5eb4dbc9b3ad992d45580c1d22bf5e24363f2fbf50c2d7ae8a7" + "sha256:07bb7fbfb5de0980590ddfc7f13081520def06dc9ed214000ad4372fb4e3c7f6", + "sha256:18d90f4711bf63e2fb21e8c8e51ed8189438e6b35a6d996201ebd98a26abbbe6", + "sha256:1ed82abf16df40a60942a8c211251ae72858b25b7421ce2497c2eb7a1cee817c", + "sha256:22a38e96118a4ce3b97509443feace1d1011d0571fae81fc3ad35f25ba3ea999", + "sha256:2d69645f535f4b2c722cfb07a8eab916265545b3475fdb34e0be2f4ee8b0b15e", + "sha256:4a2d0e0acc20ede0f06ef7aa58546eee96d2592c00f450c9acb89c5879b61992", + "sha256:54b2605e5475944e2213258e0ab8696f4f357a31371e538ef21e8d61c843c28d", + "sha256:7075b304cd567694dc692ffc9747f3e9cb393cc4aa4fb7b9f3abd6f5c4e43588", + "sha256:7b7ceeff114c31f285528ba8b390d3e9cfa2da17b56f11d366769a807f17cbaa", + "sha256:7eba2cebca600a7806b893cb1d541a6e910afa87e97acf2021a22b32da1df52d", + "sha256:928185a6d1ccdb816e883f56ebe92e975a262d31cc536429041921f8cb5a62fd", + "sha256:9933f28f70d0517686bd7de36166dda42094eac49415459d9bdf5e7df3e0086d", + "sha256:a688ebcd08250eab5bb5bca318cc05a8c66de5e4171a65ca51db6bd753ff8953", + "sha256:abb5a361d2585bb95012a19ed9b2c8f412c5d723a9836418fab7aaa0243e67d2", + "sha256:c10c797ac89c746e488d2ee92bd4abd593615694ee17b2500578b63cad6b93a8", + "sha256:ced40344e811d6abba00295ced98c01aecf0c2de39481792d87af4fa58b7b4d6", + "sha256:d57e0cdc1b44b6cdf8af1d01807db06886f10177469312fbde8f44ccbb284bc9", + "sha256:d99915d6ab265c22873f1b4d6ea5ef462ef797b4140be4c9d8b179915e0985c6", + "sha256:eb80e8a1f91e4b7ef8b33041591e6d89b2b8e122d787e87eeb2b08da71bb16ad", + "sha256:ebeddd119f526bcf323a89f853afb12e225902a24d29b55fe18dd6fcb2838a76" ], "markers": "python_version >= '3.6'", - "version": "==3.4.8" + "version": "==35.0.0" }, "docutils": { "hashes": [ @@ -276,6 +270,13 @@ "index": "pypi", "version": "==0.3.9" }, + "future": { + "hashes": [ + "sha256:b1bead90b70cf6ec3f0710ae53a525360fa360d306a86583adc6bf83a4db537d" + ], + "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==0.18.2" + }, "gevent": { "hashes": [ "sha256:02d1e8ca227d0ab0b7917fd7e411f9a534475e0a41fb6f434e9264b20155201a", @@ -310,59 +311,59 @@ }, "greenlet": { "hashes": [ - "sha256:04e1849c88aa56584d4a0a6e36af5ec7cc37993fdc1fda72b56aa1394a92ded3", - "sha256:05e72db813c28906cdc59bd0da7c325d9b82aa0b0543014059c34c8c4ad20e16", - "sha256:07e6d88242e09b399682b39f8dfa1e7e6eca66b305de1ff74ed9eb1a7d8e539c", - "sha256:090126004c8ab9cd0787e2acf63d79e80ab41a18f57d6448225bbfcba475034f", - "sha256:1796f2c283faab2b71c67e9b9aefb3f201fdfbee5cb55001f5ffce9125f63a45", - "sha256:2f89d74b4f423e756a018832cd7a0a571e0a31b9ca59323b77ce5f15a437629b", - "sha256:34e6675167a238bede724ee60fe0550709e95adaff6a36bcc97006c365290384", - "sha256:3e594015a2349ec6dcceda9aca29da8dc89e85b56825b7d1f138a3f6bb79dd4c", - "sha256:3f8fc59bc5d64fa41f58b0029794f474223693fd00016b29f4e176b3ee2cfd9f", - "sha256:3fc6a447735749d651d8919da49aab03c434a300e9f0af1c886d560405840fd1", - "sha256:40abb7fec4f6294225d2b5464bb6d9552050ded14a7516588d6f010e7e366dcc", - "sha256:44556302c0ab376e37939fd0058e1f0db2e769580d340fb03b01678d1ff25f68", - "sha256:476ba9435afaead4382fbab8f1882f75e3fb2285c35c9285abb3dd30237f9142", - "sha256:4870b018ca685ff573edd56b93f00a122f279640732bb52ce3a62b73ee5c4a92", - "sha256:4adaf53ace289ced90797d92d767d37e7cdc29f13bd3830c3f0a561277a4ae83", - "sha256:4eae94de9924bbb4d24960185363e614b1b62ff797c23dc3c8a7c75bbb8d187e", - "sha256:5317701c7ce167205c0569c10abc4bd01c7f4cf93f642c39f2ce975fa9b78a3c", - "sha256:5c3b735ccf8fc8048664ee415f8af5a3a018cc92010a0d7195395059b4b39b7d", - "sha256:5cde7ee190196cbdc078511f4df0be367af85636b84d8be32230f4871b960687", - "sha256:655ab836324a473d4cd8cf231a2d6f283ed71ed77037679da554e38e606a7117", - "sha256:6ce9d0784c3c79f3e5c5c9c9517bbb6c7e8aa12372a5ea95197b8a99402aa0e6", - "sha256:6e0696525500bc8aa12eae654095d2260db4dc95d5c35af2b486eae1bf914ccd", - "sha256:75ff270fd05125dce3303e9216ccddc541a9e072d4fc764a9276d44dee87242b", - "sha256:8039f5fe8030c43cd1732d9a234fdcbf4916fcc32e21745ca62e75023e4d4649", - "sha256:84488516639c3c5e5c0e52f311fff94ebc45b56788c2a3bfe9cf8e75670f4de3", - "sha256:84782c80a433d87530ae3f4b9ed58d4a57317d9918dfcc6a59115fa2d8731f2c", - "sha256:8ddb38fb6ad96c2ef7468ff73ba5c6876b63b664eebb2c919c224261ae5e8378", - "sha256:98b491976ed656be9445b79bc57ed21decf08a01aaaf5fdabf07c98c108111f6", - "sha256:990e0f5e64bcbc6bdbd03774ecb72496224d13b664aa03afd1f9b171a3269272", - "sha256:9b02e6039eafd75e029d8c58b7b1f3e450ca563ef1fe21c7e3e40b9936c8d03e", - "sha256:a11b6199a0b9dc868990456a2667167d0ba096c5224f6258e452bfbe5a9742c5", - "sha256:a414f8e14aa7bacfe1578f17c11d977e637d25383b6210587c29210af995ef04", - "sha256:a91ee268f059583176c2c8b012a9fce7e49ca6b333a12bbc2dd01fc1a9783885", - "sha256:ac991947ca6533ada4ce7095f0e28fe25d5b2f3266ad5b983ed4201e61596acf", - "sha256:b050dbb96216db273b56f0e5960959c2b4cb679fe1e58a0c3906fa0a60c00662", - "sha256:b97a807437b81f90f85022a9dcfd527deea38368a3979ccb49d93c9198b2c722", - "sha256:bad269e442f1b7ffa3fa8820b3c3aa66f02a9f9455b5ba2db5a6f9eea96f56de", - "sha256:bf3725d79b1ceb19e83fb1aed44095518c0fcff88fba06a76c0891cfd1f36837", - "sha256:c0f22774cd8294078bdf7392ac73cf00bfa1e5e0ed644bd064fdabc5f2a2f481", - "sha256:c1862f9f1031b1dee3ff00f1027fcd098ffc82120f43041fe67804b464bbd8a7", - "sha256:c8d4ed48eed7414ccb2aaaecbc733ed2a84c299714eae3f0f48db085342d5629", - "sha256:cf31e894dabb077a35bbe6963285d4515a387ff657bd25b0530c7168e48f167f", - "sha256:d15cb6f8706678dc47fb4e4f8b339937b04eda48a0af1cca95f180db552e7663", - "sha256:dfcb5a4056e161307d103bc013478892cfd919f1262c2bb8703220adcb986362", - "sha256:e02780da03f84a671bb4205c5968c120f18df081236d7b5462b380fd4f0b497b", - "sha256:e2002a59453858c7f3404690ae80f10c924a39f45f6095f18a985a1234c37334", - "sha256:e22a82d2b416d9227a500c6860cf13e74060cf10e7daf6695cbf4e6a94e0eee4", - "sha256:e41f72f225192d5d4df81dad2974a8943b0f2d664a2a5cfccdf5a01506f5523c", - "sha256:f253dad38605486a4590f9368ecbace95865fea0f2b66615d121ac91fd1a1563", - "sha256:fddfb31aa2ac550b938d952bca8a87f1db0f8dc930ffa14ce05b5c08d27e7fd1" + "sha256:00e44c8afdbe5467e4f7b5851be223be68adb4272f44696ee71fe46b7036a711", + "sha256:013d61294b6cd8fe3242932c1c5e36e5d1db2c8afb58606c5a67efce62c1f5fd", + "sha256:049fe7579230e44daef03a259faa24511d10ebfa44f69411d99e6a184fe68073", + "sha256:14d4f3cd4e8b524ae9b8aa567858beed70c392fdec26dbdb0a8a418392e71708", + "sha256:166eac03e48784a6a6e0e5f041cfebb1ab400b394db188c48b3a84737f505b67", + "sha256:17ff94e7a83aa8671a25bf5b59326ec26da379ace2ebc4411d690d80a7fbcf23", + "sha256:1e12bdc622676ce47ae9abbf455c189e442afdde8818d9da983085df6312e7a1", + "sha256:21915eb821a6b3d9d8eefdaf57d6c345b970ad722f856cd71739493ce003ad08", + "sha256:288c6a76705dc54fba69fbcb59904ae4ad768b4c768839b8ca5fdadec6dd8cfd", + "sha256:32ca72bbc673adbcfecb935bb3fb1b74e663d10a4b241aaa2f5a75fe1d1f90aa", + "sha256:356b3576ad078c89a6107caa9c50cc14e98e3a6c4874a37c3e0273e4baf33de8", + "sha256:40b951f601af999a8bf2ce8c71e8aaa4e8c6f78ff8afae7b808aae2dc50d4c40", + "sha256:572e1787d1460da79590bf44304abbc0a2da944ea64ec549188fa84d89bba7ab", + "sha256:58df5c2a0e293bf665a51f8a100d3e9956febfbf1d9aaf8c0677cf70218910c6", + "sha256:64e6175c2e53195278d7388c454e0b30997573f3f4bd63697f88d855f7a6a1fc", + "sha256:7227b47e73dedaa513cdebb98469705ef0d66eb5a1250144468e9c3097d6b59b", + "sha256:7418b6bfc7fe3331541b84bb2141c9baf1ec7132a7ecd9f375912eca810e714e", + "sha256:7cbd7574ce8e138bda9df4efc6bf2ab8572c9aff640d8ecfece1b006b68da963", + "sha256:7ff61ff178250f9bb3cd89752df0f1dd0e27316a8bd1465351652b1b4a4cdfd3", + "sha256:833e1551925ed51e6b44c800e71e77dacd7e49181fdc9ac9a0bf3714d515785d", + "sha256:8639cadfda96737427330a094476d4c7a56ac03de7265622fcf4cfe57c8ae18d", + "sha256:8c790abda465726cfb8bb08bd4ca9a5d0a7bd77c7ac1ca1b839ad823b948ea28", + "sha256:8d2f1fb53a421b410751887eb4ff21386d119ef9cde3797bf5e7ed49fb51a3b3", + "sha256:903bbd302a2378f984aef528f76d4c9b1748f318fe1294961c072bdc7f2ffa3e", + "sha256:93f81b134a165cc17123626ab8da2e30c0455441d4ab5576eed73a64c025b25c", + "sha256:95e69877983ea39b7303570fa6760f81a3eec23d0e3ab2021b7144b94d06202d", + "sha256:9633b3034d3d901f0a46b7939f8c4d64427dfba6bbc5a36b1a67364cf148a1b0", + "sha256:97e5306482182170ade15c4b0d8386ded995a07d7cc2ca8f27958d34d6736497", + "sha256:9f3cba480d3deb69f6ee2c1825060177a22c7826431458c697df88e6aeb3caee", + "sha256:aa5b467f15e78b82257319aebc78dd2915e4c1436c3c0d1ad6f53e47ba6e2713", + "sha256:abb7a75ed8b968f3061327c433a0fbd17b729947b400747c334a9c29a9af6c58", + "sha256:aec52725173bd3a7b56fe91bc56eccb26fbdff1386ef123abb63c84c5b43b63a", + "sha256:b11548073a2213d950c3f671aa88e6f83cda6e2fb97a8b6317b1b5b33d850e06", + "sha256:b1692f7d6bc45e3200844be0dba153612103db241691088626a33ff1f24a0d88", + "sha256:b92e29e58bef6d9cfd340c72b04d74c4b4e9f70c9fa7c78b674d1fec18896dc4", + "sha256:be5f425ff1f5f4b3c1e33ad64ab994eed12fc284a6ea71c5243fd564502ecbe5", + "sha256:dd0b1e9e891f69e7675ba5c92e28b90eaa045f6ab134ffe70b52e948aa175b3c", + "sha256:e30f5ea4ae2346e62cedde8794a56858a67b878dd79f7df76a0767e356b1744a", + "sha256:e6a36bb9474218c7a5b27ae476035497a6990e21d04c279884eb10d9b290f1b1", + "sha256:e859fcb4cbe93504ea18008d1df98dee4f7766db66c435e4882ab35cf70cac43", + "sha256:eb6ea6da4c787111adf40f697b4e58732ee0942b5d3bd8f435277643329ba627", + "sha256:ec8c433b3ab0419100bd45b47c9c8551248a5aee30ca5e9d399a0b57ac04651b", + "sha256:eff9d20417ff9dcb0d25e2defc2574d10b491bf2e693b4e491914738b7908168", + "sha256:f0214eb2a23b85528310dad848ad2ac58e735612929c8072f6093f3585fd342d", + "sha256:f276df9830dba7a333544bd41070e8175762a7ac20350786b322b714b0e654f5", + "sha256:f3acda1924472472ddd60c29e5b9db0cec629fbe3c5c5accb74d6d6d14773478", + "sha256:f70a9e237bb792c7cc7e44c531fd48f5897961701cdaa06cf22fc14965c496cf", + "sha256:f9d29ca8a77117315101425ec7ec2a47a22ccf59f5593378fc4077ac5b754fce", + "sha256:fa877ca7f6b48054f847b61d6fa7bed5cebb663ebc55e018fda12db09dcc664c", + "sha256:fdcec0b8399108577ec290f55551d926d9a1fa6cad45882093a7a07ac5ec147b" ], "markers": "platform_python_implementation == 'CPython'", - "version": "==1.1.1" + "version": "==1.1.2" }, "httpagentparser": { "hashes": [ @@ -585,6 +586,13 @@ "index": "pypi", "version": "==0.11.0" }, + "pefile": { + "hashes": [ + "sha256:344a49e40a94e10849f0fe34dddc80f773a12b40675bf2f7be4b8be578bdd94a" + ], + "markers": "python_version >= '3.6'", + "version": "==2021.9.3" + }, "policyuniverse": { "hashes": [ "sha256:184f854fc716754ff07cd9f601923d1ce30a6826617e7c2b252abebe76746b6d", @@ -793,6 +801,15 @@ ], "version": "==3.12.0" }, + "pyreadline": { + "hashes": [ + "sha256:4530592fc2e85b25b1a9f79664433da09237c1a270e4d78ea5aa3a2c7229e2d1", + "sha256:65540c21bfe14405a3a77e4c085ecfce88724743a4ead47c66b84defcf82c32e", + "sha256:9ce5fa65b8992dfa373bddc5b6e0864ead8f291c94fbfec05fbd5c836162e67b" + ], + "markers": "python_version < '3.8' and sys_platform == 'win32'", + "version": "==2.1" + }, "pyrsistent": { "hashes": [ "sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2", @@ -835,6 +852,29 @@ ], "version": "==2021.1" }, + "pywin32": { + "hashes": [ + "sha256:595d397df65f1b2e0beaca63a883ae6d8b6df1cdea85c16ae85f6d2e648133fe", + "sha256:87604a4087434cd814ad8973bd47d6524bd1fa9e971ce428e76b62a5e0860fdf", + "sha256:88981dd3cfb07432625b180f49bf4e179fb8cbb5704cd512e38dd63636af7a17", + "sha256:8c9d33968aa7fcddf44e47750e18f3d034c3e443a707688a008a2e52bbef7e96", + "sha256:93367c96e3a76dfe5003d8291ae16454ca7d84bb24d721e0b74a07610b7be4a7", + "sha256:9635df6998a70282bd36e7ac2a5cef9ead1627b0a63b17c731312c7a0daebb72", + "sha256:98f62a3f60aa64894a290fb7494bfa0bfa0a199e9e052e1ac293b2ad3cd2818b", + "sha256:c866f04a182a8cb9b7855de065113bbd2e40524f570db73ef1ee99ff0a5cc2f0", + "sha256:dafa18e95bf2a92f298fe9c582b0e205aca45c55f989937c52c454ce65b93c78", + "sha256:fb3b4933e0382ba49305cc6cd3fb18525df7fd96aa434de19ce0878133bf8e4a" + ], + "markers": "python_version < '3.10' and sys_platform == 'win32' and implementation_name == 'cpython'", + "version": "==301" + }, + "pywin32-ctypes": { + "hashes": [ + "sha256:24ffc3b341d457d48e8922352130cf2644024a4ff09762a2261fd34c36ee5942", + "sha256:9dc2d991b3479cc2df15930958b674a48a227d5361d413827a4cfd0b5876fc98" + ], + "version": "==0.2.0" + }, "pyyaml": { "hashes": [ "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf", @@ -880,10 +920,10 @@ }, "ring": { "hashes": [ - "sha256:f0853e3645a255ecf26291283afd520834ba50d2e0a1d44d930e5bdb944001c4" + "sha256:b077ec88c2dc179514a8e1fccd37fb1d5a6d2688891bb6e1ed9c33c4970e5424" ], "index": "pypi", - "version": "==0.9.0" + "version": "==0.9.1" }, "rsa": { "hashes": [ @@ -905,58 +945,6 @@ "git": "https://github.com/guardicode/ScoutSuite", "ref": "eac33ac5b0a84e4a2e29682cf3568271eb595003" }, - "simplejson": { - "hashes": [ - "sha256:065230b9659ac38c8021fa512802562d122afb0cf8d4b89e257014dcddb5730a", - "sha256:07707ba69324eaf58f0c6f59d289acc3e0ed9ec528dae5b0d4219c0d6da27dc5", - "sha256:10defa88dd10a0a4763f16c1b5504e96ae6dc68953cfe5fc572b4a8fcaf9409b", - "sha256:140eb58809f24d843736edb8080b220417e22c82ac07a3dfa473f57e78216b5f", - "sha256:188f2c78a8ac1eb7a70a4b2b7b9ad11f52181044957bf981fb3e399c719e30ee", - "sha256:1c2688365743b0f190392e674af5e313ebe9d621813d15f9332e874b7c1f2d04", - "sha256:24e413bd845bd17d4d72063d64e053898543fb7abc81afeae13e5c43cef9c171", - "sha256:2b59acd09b02da97728d0bae8ff48876d7efcbbb08e569c55e2d0c2e018324f5", - "sha256:2df15814529a4625ea6f7b354a083609b3944c269b954ece0d0e7455872e1b2a", - "sha256:352c11582aa1e49a2f0f7f7d8fd5ec5311da890d1354287e83c63ab6af857cf5", - "sha256:36b08b886027eac67e7a0e822e3a5bf419429efad7612e69501669d6252a21f2", - "sha256:376023f51edaf7290332dacfb055bc00ce864cb013c0338d0dea48731f37e42f", - "sha256:3ba82f8b421886f4a2311c43fb98faaf36c581976192349fef2a89ed0fcdbdef", - "sha256:3d72aa9e73134dacd049a2d6f9bd219f7be9c004d03d52395831611d66cedb71", - "sha256:40ece8fa730d1a947bff792bcc7824bd02d3ce6105432798e9a04a360c8c07b0", - "sha256:417b7e119d66085dc45bdd563dcb2c575ee10a3b1c492dd3502a029448d4be1c", - "sha256:42b7c7264229860fe879be961877f7466d9f7173bd6427b3ba98144a031d49fb", - "sha256:457d9cfe7ece1571770381edccdad7fc255b12cd7b5b813219441146d4f47595", - "sha256:4a6943816e10028eeed512ea03be52b54ea83108b408d1049b999f58a760089b", - "sha256:5b94df70bd34a3b946c0eb272022fb0f8a9eb27cad76e7f313fedbee2ebe4317", - "sha256:5f5051a13e7d53430a990604b532c9124253c5f348857e2d5106d45fc8533860", - "sha256:5f7f53b1edd4b23fb112b89208377480c0bcee45d43a03ffacf30f3290e0ed85", - "sha256:5fe8c6dcb9e6f7066bdc07d3c410a2fca78c0d0b4e0e72510ffd20a60a20eb8e", - "sha256:71a54815ec0212b0cba23adc1b2a731bdd2df7b9e4432718b2ed20e8aaf7f01a", - "sha256:7332f7b06d42153255f7bfeb10266141c08d48cc1a022a35473c95238ff2aebc", - "sha256:78c6f0ed72b440ebe1892d273c1e5f91e55e6861bea611d3b904e673152a7a4c", - "sha256:7c9b30a2524ae6983b708f12741a31fbc2fb8d6fecd0b6c8584a62fd59f59e09", - "sha256:86fcffc06f1125cb443e2bed812805739d64ceb78597ac3c1b2d439471a09717", - "sha256:87572213965fd8a4fb7a97f837221e01d8fddcfb558363c671b8aa93477fb6a2", - "sha256:8e595de17178dd3bbeb2c5b8ea97536341c63b7278639cb8ee2681a84c0ef037", - "sha256:917f01db71d5e720b731effa3ff4a2c702a1b6dacad9bcdc580d86a018dfc3ca", - "sha256:91cfb43fb91ff6d1e4258be04eee84b51a4ef40a28d899679b9ea2556322fb50", - "sha256:aa86cfdeb118795875855589934013e32895715ec2d9e8eb7a59be3e7e07a7e1", - "sha256:ade09aa3c284d11f39640aebdcbb748e1996f0c60504f8c4a0c5a9fec821e67a", - "sha256:b2a5688606dffbe95e1347a05b77eb90489fe337edde888e23bbb7fd81b0d93b", - "sha256:b92fbc2bc549c5045c8233d954f3260ccf99e0f3ec9edfd2372b74b350917752", - "sha256:c2d5334d935af711f6d6dfeec2d34e071cdf73ec0df8e8bd35ac435b26d8da97", - "sha256:cb0afc3bad49eb89a579103616574a54b523856d20fc539a4f7a513a0a8ba4b2", - "sha256:ce66f730031b9b3683b2fc6ad4160a18db86557c004c3d490a29bf8d450d7ab9", - "sha256:e29b9cea4216ec130df85d8c36efb9985fda1c9039e4706fb30e0fb6a67602ff", - "sha256:e2cc4b68e59319e3de778325e34fbff487bfdb2225530e89995402989898d681", - "sha256:e90d2e219c3dce1500dda95f5b893c293c4d53c4e330c968afbd4e7a90ff4a5b", - "sha256:f13c48cc4363829bdfecc0c181b6ddf28008931de54908a492dc8ccd0066cd60", - "sha256:f550730d18edec4ff9d4252784b62adfe885d4542946b6d5a54c8a6521b56afd", - "sha256:fa843ee0d34c7193f5a816e79df8142faff851549cab31e84b526f04878ac778", - "sha256:fe1c33f78d2060719d52ea9459d97d7ae3a5b707ec02548575c4fbed1d1d345b" - ], - "markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==3.17.5" - }, "six": { "hashes": [ "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", @@ -971,20 +959,6 @@ ], "version": "==1.7.0" }, - "stix2": { - "hashes": [ - "sha256:b9b2200e5c429a0a49d67c8902638d2f97df2ba4321e15dde067c5cb80c9e8e1" - ], - "index": "pypi", - "version": "==3.0.0" - }, - "stix2-patterns": { - "hashes": [ - "sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4", - "sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992" - ], - "version": "==1.3.2" - }, "tempora": { "hashes": [ "sha256:c54da0f05405f04eb67abbb1dff4448fd91428b58cb00f0f645ea36f6a927950", @@ -1012,11 +986,11 @@ }, "urllib3": { "hashes": [ - "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", - "sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f" + "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece", + "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", - "version": "==1.26.6" + "version": "==1.26.7" }, "werkzeug": { "hashes": [ @@ -1041,11 +1015,11 @@ }, "zipp": { "hashes": [ - "sha256:957cfda87797e389580cb8b9e3870841ca991e2125350677b2ca83a0e99390a3", - "sha256:f5812b1e007e48cff63449a5e9f4e7ebea716b4111f9c4f9a645f91d579bf0c4" + "sha256:71c644c5369f4a6e07636f0aa966270449561fcea2e3d6747b8d23efaa9d7832", + "sha256:9fe5ea21568a0a70e50f273397638d39b03353731e6cbbb3fd8502a33fec40bc" ], "markers": "python_version >= '3.6'", - "version": "==3.5.0" + "version": "==3.6.0" }, "zope.event": { "hashes": [ @@ -1120,6 +1094,14 @@ ], "version": "==1.4.4" }, + "atomicwrites": { + "hashes": [ + "sha256:6d1784dea7c0c8d4a5172b6c620f40b6e4cbfdf96d783691f2e1302a7b88e197", + "sha256:ae70396ad1a434f9c7046fd2dd196fc04b12f9e91ffb859164193be8b6168a7a" + ], + "markers": "sys_platform == 'win32'", + "version": "==1.4.0" + }, "attrs": { "hashes": [ "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", @@ -1166,6 +1148,14 @@ "markers": "python_version >= '3.6'", "version": "==8.0.1" }, + "colorama": { + "hashes": [ + "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff", + "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1" + ], + "markers": "platform_system == 'Windows' and sys_platform == 'win32' and platform_system == 'Windows'", + "version": "==0.4.3" + }, "coverage": { "hashes": [ "sha256:004d1880bed2d97151facef49f08e255a20ceb6f9432df75f4eef018fdd5a78c", @@ -1240,10 +1230,11 @@ }, "filelock": { "hashes": [ - "sha256:18d82244ee114f543149c66a6e0c14e9c4f8a1044b5cdaadd0f82159d6a6ff59", - "sha256:929b7d63ec5b7d6b71b0fa5ac14e030b3f70b75747cef1b10da9b879fef15836" + "sha256:61a99e9b12b47b685d1389f4cf969c1eba0efd2348a8471f86e01e8c622267af", + "sha256:85ecb30757aa19d06bfcdad29cc332b9a3e4851bf59976aea1e8dadcbd9ef883" ], - "version": "==3.0.12" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==3.2.0" }, "flake8": { "hashes": [ @@ -1323,11 +1314,11 @@ }, "platformdirs": { "hashes": [ - "sha256:15b056538719b1c94bdaccb29e5f81879c7f7f0f4a153f46086d155dffcd4f0f", - "sha256:8003ac87717ae2c7ee1ea5a84a1a61e87f3fbd16eb5aadba194ea30a9019f648" + "sha256:367a5e80b3d04d2428ffa76d33f124cf11e8fff2acdaa9b43d545f5c7d661ef2", + "sha256:8868bbe3c3c80d42f20156f22e7131d2fb321f5bc86a2a345375c6481a67021d" ], "markers": "python_version >= '3.6'", - "version": "==2.3.0" + "version": "==2.4.0" }, "pluggy": { "hashes": [ @@ -1387,49 +1378,49 @@ }, "regex": { "hashes": [ - "sha256:04f6b9749e335bb0d2f68c707f23bb1773c3fb6ecd10edf0f04df12a8920d468", - "sha256:08d74bfaa4c7731b8dac0a992c63673a2782758f7cfad34cf9c1b9184f911354", - "sha256:0fc1f8f06977c2d4f5e3d3f0d4a08089be783973fc6b6e278bde01f0544ff308", - "sha256:121f4b3185feaade3f85f70294aef3f777199e9b5c0c0245c774ae884b110a2d", - "sha256:1413b5022ed6ac0d504ba425ef02549a57d0f4276de58e3ab7e82437892704fc", - "sha256:1743345e30917e8c574f273f51679c294effba6ad372db1967852f12c76759d8", - "sha256:28fc475f560d8f67cc8767b94db4c9440210f6958495aeae70fac8faec631797", - "sha256:31a99a4796bf5aefc8351e98507b09e1b09115574f7c9dbb9cf2111f7220d2e2", - "sha256:328a1fad67445550b982caa2a2a850da5989fd6595e858f02d04636e7f8b0b13", - "sha256:473858730ef6d6ff7f7d5f19452184cd0caa062a20047f6d6f3e135a4648865d", - "sha256:4cde065ab33bcaab774d84096fae266d9301d1a2f5519d7bd58fc55274afbf7a", - "sha256:5f6a808044faae658f546dd5f525e921de9fa409de7a5570865467f03a626fc0", - "sha256:610b690b406653c84b7cb6091facb3033500ee81089867ee7d59e675f9ca2b73", - "sha256:66256b6391c057305e5ae9209941ef63c33a476b73772ca967d4a2df70520ec1", - "sha256:6eebf512aa90751d5ef6a7c2ac9d60113f32e86e5687326a50d7686e309f66ed", - "sha256:79aef6b5cd41feff359acaf98e040844613ff5298d0d19c455b3d9ae0bc8c35a", - "sha256:808ee5834e06f57978da3e003ad9d6292de69d2bf6263662a1a8ae30788e080b", - "sha256:8e44769068d33e0ea6ccdf4b84d80c5afffe5207aa4d1881a629cf0ef3ec398f", - "sha256:999ad08220467b6ad4bd3dd34e65329dd5d0df9b31e47106105e407954965256", - "sha256:9b006628fe43aa69259ec04ca258d88ed19b64791693df59c422b607b6ece8bb", - "sha256:9d05ad5367c90814099000442b2125535e9d77581855b9bee8780f1b41f2b1a2", - "sha256:a577a21de2ef8059b58f79ff76a4da81c45a75fe0bfb09bc8b7bb4293fa18983", - "sha256:a617593aeacc7a691cc4af4a4410031654f2909053bd8c8e7db837f179a630eb", - "sha256:abb48494d88e8a82601af905143e0de838c776c1241d92021e9256d5515b3645", - "sha256:ac88856a8cbccfc14f1b2d0b829af354cc1743cb375e7f04251ae73b2af6adf8", - "sha256:b4c220a1fe0d2c622493b0a1fd48f8f991998fb447d3cd368033a4b86cf1127a", - "sha256:b844fb09bd9936ed158ff9df0ab601e2045b316b17aa8b931857365ea8586906", - "sha256:bdc178caebd0f338d57ae445ef8e9b737ddf8fbc3ea187603f65aec5b041248f", - "sha256:c206587c83e795d417ed3adc8453a791f6d36b67c81416676cad053b4104152c", - "sha256:c61dcc1cf9fd165127a2853e2c31eb4fb961a4f26b394ac9fe5669c7a6592892", - "sha256:c7cb4c512d2d3b0870e00fbbac2f291d4b4bf2634d59a31176a87afe2777c6f0", - "sha256:d4a332404baa6665b54e5d283b4262f41f2103c255897084ec8f5487ce7b9e8e", - "sha256:d5111d4c843d80202e62b4fdbb4920db1dcee4f9366d6b03294f45ed7b18b42e", - "sha256:e1e8406b895aba6caa63d9fd1b6b1700d7e4825f78ccb1e5260551d168db38ed", - "sha256:e8690ed94481f219a7a967c118abaf71ccc440f69acd583cab721b90eeedb77c", - "sha256:ed283ab3a01d8b53de3a05bfdf4473ae24e43caee7dcb5584e86f3f3e5ab4374", - "sha256:ed4b50355b066796dacdd1cf538f2ce57275d001838f9b132fab80b75e8c84dd", - "sha256:ee329d0387b5b41a5dddbb6243a21cb7896587a651bebb957e2d2bb8b63c0791", - "sha256:f3bf1bc02bc421047bfec3343729c4bbbea42605bcfd6d6bfe2c07ade8b12d2a", - "sha256:f585cbbeecb35f35609edccb95efd95a3e35824cd7752b586503f7e6087303f1", - "sha256:f60667673ff9c249709160529ab39667d1ae9fd38634e006bec95611f632e759" + "sha256:0de8ad66b08c3e673b61981b9e3626f8784d5564f8c3928e2ad408c0eb5ac38c", + "sha256:1f1125bc5172ab3a049bc6f4b9c0aae95a2a2001a77e6d6e4239fa3653e202b5", + "sha256:255791523f80ea8e48e79af7120b4697ef3b74f6886995dcdb08c41f8e516be0", + "sha256:28040e89a04b60d579c69095c509a4f6a1a5379cd865258e3a186b7105de72c6", + "sha256:37868075eda024470bd0feab872c692ac4ee29db1e14baec103257bf6cc64346", + "sha256:3b71213ec3bad9a5a02e049f2ec86b3d7c3e350129ae0f4e2f99c12b5da919ed", + "sha256:3be40f720af170a6b20ddd2ad7904c58b13d2b56f6734ee5d09bbdeed2fa4816", + "sha256:42952d325439ef223e4e9db7ee6d9087b5c68c5c15b1f9de68e990837682fc7b", + "sha256:470f2c882f2672d8eeda8ab27992aec277c067d280b52541357e1acd7e606dae", + "sha256:4907fb0f9b9309a5bded72343e675a252c2589a41871874feace9a05a540241e", + "sha256:4d87459ad3ab40cd8493774f8a454b2e490d8e729e7e402a0625867a983e4e02", + "sha256:4fa7ba9ab2eba7284e0d7d94f61df7af86015b0398e123331362270d71fab0b9", + "sha256:5b34d2335d6aedec7dcadd3f8283b9682fadad8b9b008da8788d2fce76125ebe", + "sha256:6348a7ab2a502cbdd0b7fd0496d614007489adb7361956b38044d1d588e66e04", + "sha256:638e98d069b14113e8afba6a54d1ca123f712c0d105e67c1f9211b2a825ef926", + "sha256:66696c8336a1b5d1182464f3af3427cc760118f26d0b09a2ddc16a976a4d2637", + "sha256:78cf6a1e023caf5e9a982f5377414e1aeac55198831b852835732cfd0a0ca5ff", + "sha256:81e125d9ba54c34579e4539a967e976a3c56150796674aec318b1b2f49251be7", + "sha256:81fdc90f999b2147fc62e303440c424c47e5573a9b615ed5d43a5b832efcca9e", + "sha256:87e9c489aa98f50f367fb26cc9c8908d668e9228d327644d7aa568d47e456f47", + "sha256:8c1ad61fa024195136a6b7b89538030bd00df15f90ac177ca278df9b2386c96f", + "sha256:9910869c472e5a6728680ca357b5846546cbbd2ab3ad5bef986ef0bc438d0aa6", + "sha256:9925985be05d54b3d25fd6c1ea8e50ff1f7c2744c75bdc4d3b45c790afa2bcb3", + "sha256:9a0b0db6b49da7fa37ca8eddf9f40a8dbc599bad43e64f452284f37b6c34d91c", + "sha256:9c065d95a514a06b92a5026766d72ac91bfabf581adb5b29bc5c91d4b3ee9b83", + "sha256:a6f08187136f11e430638c2c66e1db091105d7c2e9902489f0dbc69b44c222b4", + "sha256:ad0517df22a97f1da20d8f1c8cb71a5d1997fa383326b81f9cf22c9dadfbdf34", + "sha256:b345ecde37c86dd7084c62954468a4a655fd2d24fd9b237949dd07a4d0dd6f4c", + "sha256:b55442650f541d195a535ccec33078c78a9521973fb960923da7515e9ed78fa6", + "sha256:c2b180ed30856dfa70cfe927b0fd38e6b68198a03039abdbeb1f2029758d87e7", + "sha256:c9e30838df7bfd20db6466fd309d9b580d32855f8e2c2e6d74cf9da27dcd9b63", + "sha256:cae4099031d80703954c39680323dabd87a69b21262303160776aa0e55970ca0", + "sha256:ce7b1cca6c23f19bee8dc40228d9c314d86d1e51996b86f924aca302fc8f8bf9", + "sha256:d0861e7f6325e821d5c40514c551fd538b292f8cc3960086e73491b9c5d8291d", + "sha256:d331f238a7accfbbe1c4cd1ba610d4c087b206353539331e32a8f05345c74aec", + "sha256:e07049cece3462c626d650e8bf42ddbca3abf4aa08155002c28cb6d9a5a281e2", + "sha256:e2cb7d4909ed16ed35729d38af585673f1f0833e73dfdf0c18e5be0061107b99", + "sha256:e3770781353a4886b68ef10cec31c1f61e8e3a0be5f213c2bb15a86efd999bc4", + "sha256:e502f8d4e5ef714bcc2c94d499684890c94239526d61fdf1096547db91ca6aa6", + "sha256:e6f2d2f93001801296fe3ca86515eb04915472b5380d4d8752f09f25f0b9b0ed", + "sha256:f588209d3e4797882cd238195c175290dbc501973b10a581086b5c6bcd095ffb" ], - "version": "==2021.8.28" + "version": "==2021.9.30" }, "requests": { "hashes": [ @@ -1515,19 +1506,19 @@ }, "urllib3": { "hashes": [ - "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", - "sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f" + "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece", + "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", - "version": "==1.26.6" + "version": "==1.26.7" }, "virtualenv": { "hashes": [ - "sha256:4da4ac43888e97de9cf4fdd870f48ed864bbfd133d2c46cbdec941fed4a25aef", - "sha256:a4b987ec31c3c9996cf1bc865332f967fe4a0512c41b39652d6224f696e69da5" + "sha256:10062e34c204b5e4ec5f62e6ef2473f8ba76513a9a617e873f1f8fb4a519d300", + "sha256:bcc17f0b3a29670dd777d6f0755a4c04f28815395bca279cdcb213b97199a6b8" ], "index": "pypi", - "version": "==20.8.0" + "version": "==20.8.1" }, "vulture": { "hashes": [ @@ -1539,11 +1530,11 @@ }, "zipp": { "hashes": [ - "sha256:957cfda87797e389580cb8b9e3870841ca991e2125350677b2ca83a0e99390a3", - "sha256:f5812b1e007e48cff63449a5e9f4e7ebea716b4111f9c4f9a645f91d579bf0c4" + "sha256:71c644c5369f4a6e07636f0aa966270449561fcea2e3d6747b8d23efaa9d7832", + "sha256:9fe5ea21568a0a70e50f273397638d39b03353731e6cbbb3fd8502a33fec40bc" ], "markers": "python_version >= '3.6'", - "version": "==3.5.0" + "version": "==3.6.0" } } } diff --git a/monkey/monkey_island/pyinstaller_hooks/hook-stix2.py b/monkey/monkey_island/pyinstaller_hooks/hook-stix2.py deleted file mode 100644 index 785d6a36b..000000000 --- a/monkey/monkey_island/pyinstaller_hooks/hook-stix2.py +++ /dev/null @@ -1,9 +0,0 @@ -# Workaround for packaging Monkey Island using PyInstaller. See -# https://github.com/oasis-open/cti-python-stix2/issues/218 - -import os - -from PyInstaller.utils.hooks import get_module_file_attribute - -stix2_dir = os.path.dirname(get_module_file_attribute("stix2")) -datas = [(stix2_dir, "stix2")] From 4ef0f542b8789c14d35c60c3baeee48540c81033 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Fri, 1 Oct 2021 08:24:47 -0400 Subject: [PATCH 22/22] Docs: Add description of Attack Mitigations --- docs/content/development/attack_mitigations.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/docs/content/development/attack_mitigations.md b/docs/content/development/attack_mitigations.md index 88a585c97..bce2dc873 100644 --- a/docs/content/development/attack_mitigations.md +++ b/docs/content/development/attack_mitigations.md @@ -11,23 +11,27 @@ Check out [the documentation for the MITRE ATT&CK techniques as well]({{< ref "/ ## Summary -Infection Monkey is shipped with pre-processed information about MITRE ATT&CK -mitigations located at -`monkey/monkey_island/cc/setup/mongo/attack_mitigations.json`. +Attack Mitigations are presented in MITRE ATT&CK report. They appear next to +descriptions of attack techniques and suggest steps that can be taken to reduce +the risk of that particular technique being successful in a network. They also +provide links for further reading on https://attack.mitre.org/ -This may need to be periodically updated as the MITRE ATT&CK framework evolves. +The Infection Monkey is shipped with pre-processed information about MITRE +ATT&CK mitigations located at +`monkey/monkey_island/cc/setup/mongo/attack_mitigations.json`. This may need to +be periodically updated as the MITRE ATT&CK framework evolves. ## Updating the MITRE ATT&CK mitigations data 1. Clone the [MITRE Cyber Threat Intelligence Repository](https://github.com/mitre/cti) or the [Guardicore - fork](https://github.com/guardicore/cti) + fork](https://github.com/guardicore/cti): ``` $ CTI_REPO=$PWD/cti $ git clone $CTI_REPO ``` -2. Start a mongodb v4.2 server -3. Run the script to generate the `attack_mitigations.json` file +2. Start a MongoDB v4.2 server. +3. Run the script to generate the `attack_mitigations.json` file: ``` $ cd monkey/deployment_scripts/dump_attack_mitigations $ pip install -r requirements.txt