diff --git a/.gitmodules b/.gitmodules index 2fb33dd37..814297e5c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,3 @@ -[submodule "monkey/monkey_island/cc/services/attack/attack_data"] - path = monkey/monkey_island/cc/services/attack/attack_data - url = https://github.com/guardicore/cti [submodule "docs/themes/learn"] path = docs/themes/learn url = https://github.com/guardicode/hugo-theme-learn.git diff --git a/monkey/monkey_island/cc/services/attack/attack_data b/monkey/monkey_island/cc/services/attack/attack_data deleted file mode 160000 index fb8942b1a..000000000 --- a/monkey/monkey_island/cc/services/attack/attack_data +++ /dev/null @@ -1 +0,0 @@ -Subproject commit fb8942b1a10f4e734ed75542f2ccae7cbd72c46d diff --git a/monkey/monkey_island/cc/services/attack/mitre_api_interface.py b/monkey/monkey_island/cc/services/attack/mitre_api_interface.py index 596f4d498..48ecb7c9a 100644 --- a/monkey/monkey_island/cc/services/attack/mitre_api_interface.py +++ b/monkey/monkey_island/cc/services/attack/mitre_api_interface.py @@ -1,42 +1,4 @@ -import os -from typing import Dict, List - -from stix2 import AttackPattern, CourseOfAction, FileSystemSource, Filter - -from monkey_island.cc.server_utils.consts import MONKEY_ISLAND_ABS_PATH - - class MitreApiInterface: - ATTACK_DATA_PATH = os.path.join( - MONKEY_ISLAND_ABS_PATH, "cc", "services", "attack", "attack_data", "enterprise-attack" - ) - - @staticmethod - def get_all_mitigations() -> Dict[str, CourseOfAction]: - file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH) - mitigation_filter = [Filter("type", "=", "course-of-action")] - all_mitigations = file_system.query(mitigation_filter) - all_mitigations = {mitigation["id"]: mitigation for mitigation in all_mitigations} - return all_mitigations - - @staticmethod - def get_all_attack_techniques() -> Dict[str, AttackPattern]: - file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH) - technique_filter = [Filter("type", "=", "attack-pattern")] - all_techniques = file_system.query(technique_filter) - all_techniques = {technique["id"]: technique for technique in all_techniques} - return all_techniques - - @staticmethod - def get_technique_and_mitigation_relationships() -> List[CourseOfAction]: - file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH) - technique_filter = [ - Filter("type", "=", "relationship"), - Filter("relationship_type", "=", "mitigates"), - ] - all_techniques = file_system.query(technique_filter) - return all_techniques - @staticmethod def get_stix2_external_reference_id(stix2_data) -> str: for reference in stix2_data["external_references"]: diff --git a/monkey/monkey_island/cc/setup/mongo/attack_mitigations.json b/monkey/monkey_island/cc/setup/mongo/attack_mitigations.json new file mode 100644 index 000000000..d851d2435 --- /dev/null +++ b/monkey/monkey_island/cc/setup/mongo/attack_mitigations.json @@ -0,0 +1 @@ +[{"_id": "T1066", "mitigations": [{"name": "Indicator Removal from Tools Mitigation", "description": "Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.", "url": ""}]}, {"_id": "T1047", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1156", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1113", "mitigations": [{"name": "Screen Capture Mitigation", "description": "Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1067", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}]}, {"_id": "T1037", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1033", "mitigations": [{"name": "System Owner/User Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1143", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1161", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1150", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1148", "mitigations": [{"name": "Environment Variable Permissions", "description": "Prevent modification of environment variables by unauthorized users and groups.", "url": "https://attack.mitre.org/mitigations/M1039"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1003", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}, {"name": "Credential Access Protection", "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", "url": "https://attack.mitre.org/mitigations/M1043"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1129", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1492", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}]}, {"_id": "T1006", "mitigations": [{"name": "File System Logical Offsets Mitigation", "description": "Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1044", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1171", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1014", "mitigations": [{"name": "Rootkit Mitigation", "description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1501", "mitigations": [{"name": "Limit Software Installation", "description": "Block users or groups from installing unapproved software.", "url": "https://attack.mitre.org/mitigations/M1033"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1514", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1123", "mitigations": [{"name": "Audio Capture Mitigation", "description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.", "url": ""}]}, {"_id": "T1133", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1109", "mitigations": [{"name": "Component Firmware Mitigation", "description": "Prevent adversary access to privileged accounts or access necessary to perform this technique.", "url": ""}]}, {"_id": "T1539", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1099", "mitigations": [{"name": "Timestomp Mitigation", "description": "Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1069", "mitigations": [{"name": "Permission Groups Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1114", "mitigations": [{"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1163", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1025", "mitigations": [{"name": "Data from Removable Media Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1116", "mitigations": [{"name": "Code Signing Mitigation", "description": "Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system. (Citation: NSA MS AppLocker) (Citation: TechNet Trusted Publishers) (Citation: Securelist Digital Certificates)", "url": ""}]}, {"_id": "T1522", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1093", "mitigations": [{"name": "Process Hollowing Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. ", "url": ""}]}, {"_id": "T1172", "mitigations": [{"name": "SSL/TLS Inspection", "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "url": "https://attack.mitre.org/mitigations/M1020"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1178", "mitigations": [{"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}]}, {"_id": "T1013", "mitigations": [{"name": "Port Monitors Mitigation", "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.", "url": ""}]}, {"_id": "T1192", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1489", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1121", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1206", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1063", "mitigations": [{"name": "Security Software Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about local security software, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1080", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1167", "mitigations": []}, {"_id": "T1527", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1180", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1165", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1137", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1089", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1487", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1214", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1119", "mitigations": [{"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1115", "mitigations": [{"name": "Clipboard Data Mitigation", "description": "Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1103", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1007", "mitigations": [{"name": "System Service Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1040", "mitigations": [{"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1017", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1530", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1135", "mitigations": [{"name": "Network Share Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire network share information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1120", "mitigations": [{"name": "Peripheral Device Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1082", "mitigations": [{"name": "System Information Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1071", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1053", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1162", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1176", "mitigations": [{"name": "Limit Software Installation", "description": "Block users or groups from installing unapproved software.", "url": "https://attack.mitre.org/mitigations/M1033"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1106", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1058", "mitigations": [{"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1202", "mitigations": [{"name": "Indirect Command Execution Mitigation", "description": "Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities and file types/locations used to invoke malicious execution.(Citation: SpectorOPs SettingContent-ms Jun 2018)", "url": ""}]}, {"_id": "T1024", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1536", "mitigations": []}, {"_id": "T1091", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "url": "https://attack.mitre.org/mitigations/M1034"}]}, {"_id": "T1005", "mitigations": [{"name": "Data from Local System Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1140", "mitigations": [{"name": "Deobfuscate/Decode Files or Information Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1195", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}]}, {"_id": "T1190", "mitigations": [{"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1219", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1079", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1036", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1055", "mitigations": [{"name": "Behavior Prevention on Endpoint", "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", "url": "https://attack.mitre.org/mitigations/M1040"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1139", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1205", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1503", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1218", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1153", "mitigations": [{"name": "Source Mitigation", "description": "Due to potential legitimate uses of source commands, it's may be difficult to mitigate use of this technique.", "url": ""}]}, {"_id": "T1038", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "url": "https://attack.mitre.org/mitigations/M1044"}]}, {"_id": "T1050", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1010", "mitigations": [{"name": "Application Window Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1032", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "SSL/TLS Inspection", "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "url": "https://attack.mitre.org/mitigations/M1020"}]}, {"_id": "T1062", "mitigations": [{"name": "Hypervisor Mitigation", "description": "Prevent adversary access to privileged accounts necessary to install a hypervisor.", "url": ""}]}, {"_id": "T1182", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1029", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1525", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1004", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1009", "mitigations": [{"name": "Binary Padding Mitigation", "description": "Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1076", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1011", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1131", "mitigations": [{"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}]}, {"_id": "T1181", "mitigations": [{"name": "Extra Window Memory Injection Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1152", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1483", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1185", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1021", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1207", "mitigations": [{"name": "DCShadow Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of AD design features. For example, mitigating specific AD API calls will likely have unintended side effects, such as preventing DC replication from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.", "url": ""}]}, {"_id": "T1107", "mitigations": [{"name": "File Deletion Mitigation", "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1145", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1112", "mitigations": [{"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1491", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1535", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1155", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1217", "mitigations": [{"name": "Browser Bookmark Discovery Mitigation", "description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. For example, mitigating accesses to browser bookmark files will likely have unintended side effects such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1183", "mitigations": [{"name": "Image File Execution Options Injection Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all IFEO will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. (Citation: Microsoft IFEOorMalware July 2015) Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1085", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1031", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1092", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1222", "mitigations": [{"name": "File Permissions Modification Mitigation", "description": "This type of technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.", "url": ""}]}, {"_id": "T1179", "mitigations": [{"name": "Hooking Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all hooking will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1019", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1042", "mitigations": [{"name": "Change Default File Association Mitigation", "description": "Direct mitigation of this technique is not recommended since it is a legitimate function that can be performed by users for software preferences. Follow Microsoft's best practices for file associations. (Citation: MSDN File Associations)", "url": ""}]}, {"_id": "T1117", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1164", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1054", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1108", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1193", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1215", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1101", "mitigations": [{"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}]}, {"_id": "T1177", "mitigations": [{"name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "url": "https://attack.mitre.org/mitigations/M1044"}, {"name": "Credential Access Protection", "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", "url": "https://attack.mitre.org/mitigations/M1043"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1125", "mitigations": [{"name": "Video Capture Mitigation", "description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.", "url": ""}]}, {"_id": "T1144", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1045", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}]}, {"_id": "T1016", "mitigations": [{"name": "System Network Configuration Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about a system's network configuration, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1504", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1198", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1087", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1090", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1059", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1482", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1175", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1020", "mitigations": [{"name": "Automated Exfiltration Mitigation", "description": "Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1070", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1083", "mitigations": [{"name": "File and Directory Discovery Mitigation", "description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1138", "mitigations": [{"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1191", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1188", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1074", "mitigations": [{"name": "Data Staged Mitigation", "description": "Identify system utilities, remote access or third-party tools, users or potentially malicious software that may be used to store compressed or encrypted data in a publicly writeable directory, central location, or commonly used staging directories (e.g. recycle bin) that is indicative of non-standard behavior, and audit and/or block them by using file integrity monitoring tools where appropriate. Consider applying data size limits or blocking file writes of common compression and encryption utilities such as 7zip, RAR, ZIP, or zlib on frequently used staging directories or central locations and monitor attempted violations of those restrictions.", "url": ""}]}, {"_id": "T1049", "mitigations": [{"name": "System Network Connections Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about network connections, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1064", "mitigations": [{"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1051", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1497", "mitigations": [{"name": "Virtualization/Sandbox Evasion Mitigation", "description": "Mitigation of this technique with preventative controls may impact the adversary's decision process depending on what they're looking for, how they use the information, and what their objectives are. Since it may be difficult to mitigate all aspects of information that could be gathered, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.", "url": ""}]}, {"_id": "T1102", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}]}, {"_id": "T1104", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1480", "mitigations": [{"name": "Do Not Mitigate", "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", "url": "https://attack.mitre.org/mitigations/M1055"}]}, {"_id": "T1528", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1204", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1196", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1057", "mitigations": [{"name": "Process Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1141", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1072", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}]}, {"_id": "T1041", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1060", "mitigations": [{"name": "Registry Run Keys / Startup Folder Mitigation", "description": "Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1023", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1026", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1122", "mitigations": [{"name": "Component Object Model Hijacking Mitigation", "description": "Direct mitigation of this technique may not be recommended for a particular environment since COM objects are a legitimate part of the operating system and installed software. Blocking COM object changes may have unforeseen side effects to legitimate functionality.", "url": ""}]}, {"_id": "T1015", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}]}, {"_id": "T1212", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1210", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1502", "mitigations": []}, {"_id": "T1142", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1534", "mitigations": []}, {"_id": "T1169", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1199", "mitigations": [{"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1149", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1098", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1170", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1048", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1097", "mitigations": [{"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1061", "mitigations": [{"name": "Graphical User Interface Mitigation", "description": "Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.", "url": ""}]}, {"_id": "T1110", "mitigations": [{"name": "Account Use Policies", "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", "url": "https://attack.mitre.org/mitigations/M1036"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1157", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1001", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1039", "mitigations": [{"name": "Data from Network Shared Drive Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1078", "mitigations": [{"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Application Developer Guidance", "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", "url": "https://attack.mitre.org/mitigations/M1013"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1073", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1068", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}]}, {"_id": "T1531", "mitigations": []}, {"_id": "T1208", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1027", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}]}, {"_id": "T1154", "mitigations": [{"name": "Trap Mitigation", "description": "Due to potential legitimate uses of trap commands, it's may be difficult to mitigate use of this technique.", "url": ""}]}, {"_id": "T1201", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1187", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1486", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1488", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1174", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1002", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1081", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1128", "mitigations": [{"name": "Netsh Helper DLL Mitigation", "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by Windows utilities like AppLocker. (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker)", "url": ""}]}, {"_id": "T1056", "mitigations": [{"name": "Input Capture Mitigation", "description": "Identify and block potentially malicious software that may be used to acquire credentials or information from the user by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1203", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1168", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1166", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1100", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1186", "mitigations": [{"name": "Process Doppelg\u00e4nging Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1184", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1095", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1075", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1012", "mitigations": [{"name": "Query Registry Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1030", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1028", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1034", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1506", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1499", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1065", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1197", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1088", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}]}, {"_id": "T1494", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1493", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1132", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1496", "mitigations": [{"name": "Resource Hijacking Mitigation", "description": "Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1147", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1500", "mitigations": [{"name": "Compile After Delivery Mitigation", "description": "This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1223", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1213", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1146", "mitigations": [{"name": "Environment Variable Permissions", "description": "Prevent modification of environment variables by unauthorized users and groups.", "url": "https://attack.mitre.org/mitigations/M1039"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1519", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1194", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1200", "mitigations": [{"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "url": "https://attack.mitre.org/mitigations/M1034"}]}, {"_id": "T1505", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1485", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1537", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1130", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1022", "mitigations": [{"name": "Data Encrypted Mitigation", "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1189", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}]}, {"_id": "T1498", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1158", "mitigations": [{"name": "Hidden Files and Directories Mitigation", "description": "Mitigation of this technique may be difficult and unadvised due to the the legitimate use of hidden files and directories.", "url": ""}]}, {"_id": "T1221", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1134", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1209", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1111", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1159", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1136", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1526", "mitigations": []}, {"_id": "T1151", "mitigations": [{"name": "Space after Filename Mitigation", "description": "Prevent files from having a trailing space after the extension.", "url": ""}]}, {"_id": "T1018", "mitigations": [{"name": "Remote System Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1046", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1518", "mitigations": []}, {"_id": "T1538", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1052", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1105", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1126", "mitigations": [{"name": "Network Share Connection Removal Mitigation", "description": "Follow best practices for mitigation of activity related to establishing [Windows Admin Shares](https://attack.mitre.org/techniques/T1077). ", "url": ""}]}, {"_id": "T1084", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1160", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1484", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1220", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1173", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Behavior Prevention on Endpoint", "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", "url": "https://attack.mitre.org/mitigations/M1040"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1008", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1096", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1124", "mitigations": [{"name": "System Time Discovery Mitigation", "description": "Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.", "url": ""}]}, {"_id": "T1035", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1086", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1495", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}]}, {"_id": "T1490", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1216", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1094", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1118", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1043", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1211", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1127", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1529", "mitigations": []}, {"_id": "T1077", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}] diff --git a/monkey/monkey_island/cc/setup/mongo/database_initializer.py b/monkey/monkey_island/cc/setup/mongo/database_initializer.py index 32e3c8486..4e339aad7 100644 --- a/monkey/monkey_island/cc/setup/mongo/database_initializer.py +++ b/monkey/monkey_island/cc/setup/mongo/database_initializer.py @@ -35,20 +35,5 @@ def _try_store_mitigations_on_mongo(): def _store_mitigations_on_mongo(): - stix2_mitigations = MitreApiInterface.get_all_mitigations() - mongo_mitigations = AttackMitigations.dict_from_stix2_attack_patterns( - MitreApiInterface.get_all_attack_techniques() - ) - mitigation_technique_relationships = ( - MitreApiInterface.get_technique_and_mitigation_relationships() - ) - for relationship in mitigation_technique_relationships: - mongo_mitigations[relationship["target_ref"]].add_mitigation( - stix2_mitigations[relationship["source_ref"]] - ) - for relationship in mitigation_technique_relationships: - mongo_mitigations[relationship["target_ref"]].add_no_mitigations_info( - stix2_mitigations[relationship["source_ref"]] - ) - for key, mongo_object in mongo_mitigations.items(): - mongo_object.save() + # TODO: import attack mitigations + pass diff --git a/monkey/monkey_island/monkey_island.spec b/monkey/monkey_island/monkey_island.spec index 624d08ffa..756b5ae2c 100644 --- a/monkey/monkey_island/monkey_island.spec +++ b/monkey/monkey_island/monkey_island.spec @@ -13,7 +13,7 @@ def main(): # The format of the tuples is (src, dest_dir). See https://pythonhosted.org/PyInstaller/spec-files.html#adding-data-files added_datas = [ ("../common/BUILD", "/common"), - ("../monkey_island/cc/services/attack/attack_data", "/monkey_island/cc/services/attack/attack_data") + ("../monkey_island/cc/services/mongo/attack_mitigations.json", "/monkey_island/cc/services/mongo/attack_mitigations.json") ] a = Analysis(['main.py'], diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py b/monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py index f93afc8d5..24f516198 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py +++ b/monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py @@ -1,14 +1,18 @@ -import pytest +import json +from pathlib import Path -from monkey_island.cc.services.attack.mitre_api_interface import MitreApiInterface +from monkey_island.cc.server_utils.consts import MONKEY_ISLAND_ABS_PATH -@pytest.mark.slow def test_get_all_mitigations(): - mitigations = MitreApiInterface.get_all_mitigations() - assert len(mitigations.items()) >= 282 - mitigation = next(iter(mitigations.values())) - assert mitigation["type"] == "course-of-action" - assert mitigation["name"] is not None - assert mitigation["description"] is not None - assert mitigation["external_references"] is not None + attack_mitigation_path = ( + Path(MONKEY_ISLAND_ABS_PATH) / "cc" / "setup" / "mongo" / "attack_mitigations.json" + ) + + with open(attack_mitigation_path) as mitigations: + mitigations = json.load(mitigations) + assert len(mitigations) >= 266 + mitigation = next(iter(mitigations))["mitigations"][0] + assert mitigation["name"] is not None + assert mitigation["description"] is not None + assert mitigation["url"] is not None