diff --git a/.gitmodules b/.gitmodules index 2fb33dd37..814297e5c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,3 @@ -[submodule "monkey/monkey_island/cc/services/attack/attack_data"] - path = monkey/monkey_island/cc/services/attack/attack_data - url = https://github.com/guardicore/cti [submodule "docs/themes/learn"] path = docs/themes/learn url = https://github.com/guardicode/hugo-theme-learn.git diff --git a/deployment_scripts/dump_attack_mitigations/attack_mitigations.py b/deployment_scripts/dump_attack_mitigations/attack_mitigations.py new file mode 100644 index 000000000..95e3a09e6 --- /dev/null +++ b/deployment_scripts/dump_attack_mitigations/attack_mitigations.py @@ -0,0 +1,65 @@ +from typing import Dict + +from mongoengine import Document, EmbeddedDocument, EmbeddedDocumentField, ListField, StringField +from stix2 import AttackPattern, CourseOfAction + + +class Mitigation(EmbeddedDocument): + name = StringField(required=True) + description = StringField(required=True) + url = StringField() + + @staticmethod + def get_from_stix2_data(mitigation: CourseOfAction): + name = mitigation["name"] + description = mitigation["description"] + url = get_stix2_external_reference_url(mitigation) + return Mitigation(name=name, description=description, url=url) + + +class AttackMitigations(Document): + technique_id = StringField(required=True, primary_key=True) + mitigations = ListField(EmbeddedDocumentField("Mitigation")) + + def add_mitigation(self, mitigation: CourseOfAction): + mitigation_external_ref_id = get_stix2_external_reference_id(mitigation) + if mitigation_external_ref_id.startswith("M"): + self.mitigations.append(Mitigation.get_from_stix2_data(mitigation)) + + def add_no_mitigations_info(self, mitigation: CourseOfAction): + mitigation_external_ref_id = get_stix2_external_reference_id(mitigation) + if mitigation_external_ref_id.startswith("T") and len(self.mitigations) == 0: + mitigation_mongo_object = Mitigation.get_from_stix2_data(mitigation) + mitigation_mongo_object["description"] = mitigation_mongo_object[ + "description" + ].splitlines()[0] + mitigation_mongo_object["url"] = "" + self.mitigations.append(mitigation_mongo_object) + + @staticmethod + def dict_from_stix2_attack_patterns(stix2_dict: Dict[str, AttackPattern]): + return { + key: AttackMitigations.mitigations_from_attack_pattern(attack_pattern) + for key, attack_pattern in stix2_dict.items() + } + + @staticmethod + def mitigations_from_attack_pattern(attack_pattern: AttackPattern): + return AttackMitigations( + technique_id=get_stix2_external_reference_id(attack_pattern), + mitigations=[], + ) + + +def get_stix2_external_reference_url(stix2_data) -> str: + for reference in stix2_data["external_references"]: + if "url" in reference: + return reference["url"] + return "" + + +def get_stix2_external_reference_id(stix2_data) -> str: + for reference in stix2_data["external_references"]: + if reference["source_name"] == "mitre-attack" and "external_id" in reference: + return reference["external_id"] + return "" diff --git a/deployment_scripts/dump_attack_mitigations/dump_attack_mitigations.py b/deployment_scripts/dump_attack_mitigations/dump_attack_mitigations.py new file mode 100755 index 000000000..c8e2b064a --- /dev/null +++ b/deployment_scripts/dump_attack_mitigations/dump_attack_mitigations.py @@ -0,0 +1,184 @@ +import argparse +import json +import subprocess +import time +from pathlib import Path +from typing import Dict, List + +import mongoengine +import pymongo +from attack_mitigations import AttackMitigations +from bson import json_util +from stix2 import AttackPattern, CourseOfAction, FileSystemSource, Filter + +COLLECTION_NAME = "attack_mitigations" + + +def main(): + args = parse_args() + + set_default_mongo_connection(args.database_name, args.mongo_host, args.mongo_port) + + mongo_client = pymongo.MongoClient(host=args.mongo_host, port=args.mongo_port) + database = mongo_client.get_database(args.database_name) + + clean_collection(database) + populate_attack_mitigations(database, Path(args.cti_repo)) + dump_attack_mitigations(database, Path(args.cti_repo), Path(args.dump_file_path)) + + +def parse_args(): + parser = argparse.ArgumentParser( + description="Export attack mitigations from a database", + formatter_class=argparse.ArgumentDefaultsHelpFormatter, + ) + parser.add_argument( + "--mongo_host", default="localhost", help="URL for mongo database.", required=False + ) + parser.add_argument( + "--mongo-port", + action="store", + default=27017, + type=int, + help="Port for mongo database.", + required=False, + ) + parser.add_argument( + "--database-name", + action="store", + default="monkeyisland", + help="Database name inside of mongo.", + required=False, + ) + parser.add_argument( + "--cti-repo", + action="store", + default="attack_mitigations", + help="The path to the Cyber Threat Intelligence Repository.", + required=True, + ) + parser.add_argument( + "--dump-file-path", + action="store", + default="./attack_mitigations.json", + help="A file path where the database dump will be saved.", + required=False, + ) + + return parser.parse_args() + + +def set_default_mongo_connection(database_name: str, host: str, port: int): + mongoengine.connect(db=database_name, host=host, port=port) + + +def clean_collection(database: pymongo.database.Database): + if collection_exists(database, COLLECTION_NAME): + database.drop_collection(COLLECTION_NAME) + + +def collection_exists(database: pymongo.database.Database, collection_name: str) -> bool: + return collection_name in database.list_collection_names() + + +def populate_attack_mitigations(database: pymongo.database.Database, cti_repo: Path): + database.create_collection(COLLECTION_NAME) + attack_data_path = cti_repo / "enterprise-attack" + + stix2_mitigations = get_all_mitigations(attack_data_path) + mongo_mitigations = AttackMitigations.dict_from_stix2_attack_patterns( + get_all_attack_techniques(attack_data_path) + ) + mitigation_technique_relationships = get_technique_and_mitigation_relationships( + attack_data_path + ) + for relationship in mitigation_technique_relationships: + mongo_mitigations[relationship["target_ref"]].add_mitigation( + stix2_mitigations[relationship["source_ref"]] + ) + for relationship in mitigation_technique_relationships: + mongo_mitigations[relationship["target_ref"]].add_no_mitigations_info( + stix2_mitigations[relationship["source_ref"]] + ) + for key, mongo_object in mongo_mitigations.items(): + mongo_object.save() + + +def get_all_mitigations(attack_data_path: Path) -> Dict[str, CourseOfAction]: + file_system = FileSystemSource(attack_data_path) + mitigation_filter = [Filter("type", "=", "course-of-action")] + all_mitigations = file_system.query(mitigation_filter) + all_mitigations = {mitigation["id"]: mitigation for mitigation in all_mitigations} + return all_mitigations + + +def get_all_attack_techniques(attack_data_path: Path) -> Dict[str, AttackPattern]: + file_system = FileSystemSource(attack_data_path) + technique_filter = [Filter("type", "=", "attack-pattern")] + all_techniques = file_system.query(technique_filter) + all_techniques = {technique["id"]: technique for technique in all_techniques} + return all_techniques + + +def get_technique_and_mitigation_relationships(attack_data_path: Path) -> List[CourseOfAction]: + file_system = FileSystemSource(attack_data_path) + technique_filter = [ + Filter("type", "=", "relationship"), + Filter("relationship_type", "=", "mitigates"), + ] + all_techniques = file_system.query(technique_filter) + return all_techniques + + +def dump_attack_mitigations( + database: pymongo.database.Database, cti_repo: Path, dump_file_path: Path +): + if not collection_exists(database, COLLECTION_NAME): + raise Exception(f"Could not find collection: {COLLECTION_NAME}") + + metadata = get_metadata(cti_repo) + data = get_data_from_database(database) + + json_output = f'{{"metadata":{json.dumps(metadata)},"data":{json_util.dumps(data)}}}' + + with open(dump_file_path, "wb") as jsonfile: + jsonfile.write(json_output.encode()) + + +def get_metadata(cti_repo: Path) -> dict: + timestamp = str(time.time()) + commit_hash = get_commit_hash(cti_repo) + origin_url = get_origin_url(cti_repo) + + return {"timestamp": timestamp, "commit_hash": commit_hash, "origin_url": origin_url} + + +def get_commit_hash(cti_repo: Path) -> str: + return run_command(["git", "rev-parse", "--short", "HEAD"], cti_repo).strip() + + +def get_origin_url(cti_repo: Path) -> str: + return run_command(["git", "remote", "get-url", "origin"], cti_repo).strip() + + +def run_command(cmd: List, cwd: Path = None) -> str: + cp = subprocess.run(cmd, capture_output=True, cwd=cwd, encoding="utf-8") + + if cp.returncode != 0: + raise Exception( + f"Error running command -- Command: {cmd} -- Return Code: {cp.returncode} -- stderr: " + f"{cp.stderr}" + ) + + return cp.stdout + + +def get_data_from_database(database: pymongo.database.Database) -> pymongo.cursor.Cursor: + collection = database.get_collection(COLLECTION_NAME) + collection_contents = collection.find() + + return collection_contents + + +if __name__ == "__main__": + main() diff --git a/deployment_scripts/dump_attack_mitigations/requirements.txt b/deployment_scripts/dump_attack_mitigations/requirements.txt new file mode 100644 index 000000000..67893d8d7 --- /dev/null +++ b/deployment_scripts/dump_attack_mitigations/requirements.txt @@ -0,0 +1,13 @@ +antlr4-python3-runtime==4.8 +certifi==2021.5.30 +charset-normalizer==2.0.6 +idna==3.2 +mongoengine==0.23.1 +pymongo==3.12.0 +pytz==2021.1 +requests==2.26.0 +simplejson==3.17.5 +six==1.16.0 +stix2==3.0.1 +stix2-patterns==1.3.2 +urllib3==1.26.7 diff --git a/docs/content/development/attack_mitigations.md b/docs/content/development/attack_mitigations.md new file mode 100644 index 000000000..bce2dc873 --- /dev/null +++ b/docs/content/development/attack_mitigations.md @@ -0,0 +1,39 @@ +--- +title: "MITRE ATT&CK Mitigations" +date: 2021-09-30T08:18:37+03:00 +draft: true +weight: 10 +--- + +{{% notice info %}} +Check out [the documentation for the MITRE ATT&CK techniques as well]({{< ref "/reports/mitre" >}}). +{{% /notice %}} + +## Summary + +Attack Mitigations are presented in MITRE ATT&CK report. They appear next to +descriptions of attack techniques and suggest steps that can be taken to reduce +the risk of that particular technique being successful in a network. They also +provide links for further reading on https://attack.mitre.org/ + +The Infection Monkey is shipped with pre-processed information about MITRE +ATT&CK mitigations located at +`monkey/monkey_island/cc/setup/mongo/attack_mitigations.json`. This may need to +be periodically updated as the MITRE ATT&CK framework evolves. + + +## Updating the MITRE ATT&CK mitigations data +1. Clone the [MITRE Cyber Threat Intelligence + Repository](https://github.com/mitre/cti) or the [Guardicore + fork](https://github.com/guardicore/cti): + ``` + $ CTI_REPO=$PWD/cti + $ git clone $CTI_REPO + ``` +2. Start a MongoDB v4.2 server. +3. Run the script to generate the `attack_mitigations.json` file: + ``` + $ cd monkey/deployment_scripts/dump_attack_mitigations + $ pip install -r requirements.txt + $ python dump_attack_mitigations.py --cti-repo $CTI_REPO --dump-file-path ../../monkey/monkey_island/cc/setup/mongo/attack_mitigations.json + ``` diff --git a/monkey/monkey_island/Pipfile b/monkey/monkey_island/Pipfile index da0ea19d3..f57407160 100644 --- a/monkey/monkey_island/Pipfile +++ b/monkey/monkey_island/Pipfile @@ -20,7 +20,6 @@ pycryptodome = "==3.9.8" python-dateutil = "<3.0.0,>=2.1" requests = ">=2.24" ring = ">=0.7.3" -stix2 = ">=2.0.2" six = ">=1.13.0" tqdm = ">=4.47" Flask-JWT-Extended = "==4.*" diff --git a/monkey/monkey_island/Pipfile.lock b/monkey/monkey_island/Pipfile.lock index 4501a5cf5..5fbd9a39d 100644 --- a/monkey/monkey_island/Pipfile.lock +++ b/monkey/monkey_island/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "9857728597cb9daa816ac6e5cf7a86ae1c86c8e56c68d8d0551f57845124a562" + "sha256": "8d64d81ac872383366db0e261649783cc60ee03cbaf7d41ae27239bdc4300a91" }, "pipfile-spec": 6, "requires": { @@ -30,13 +30,6 @@ ], "version": "==9.0.1" }, - "antlr4-python3-runtime": { - "hashes": [ - "sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33" - ], - "markers": "python_version >= '3'", - "version": "==4.8" - }, "asyncio-throttle": { "hashes": [ "sha256:a01a56f3671e961253cf262918f3e0741e222fc50d57d981ba5c801f284eccfe" @@ -192,7 +185,7 @@ "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff", "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "markers": "platform_system == 'Windows' and sys_platform == 'win32' and platform_system == 'Windows'", "version": "==0.4.3" }, "coloredlogs": { @@ -204,28 +197,29 @@ }, "cryptography": { "hashes": [ - "sha256:0a7dcbcd3f1913f664aca35d47c1331fce738d44ec34b7be8b9d332151b0b01e", - "sha256:1eb7bb0df6f6f583dd8e054689def236255161ebbcf62b226454ab9ec663746b", - "sha256:21ca464b3a4b8d8e86ba0ee5045e103a1fcfac3b39319727bc0fc58c09c6aff7", - "sha256:34dae04a0dce5730d8eb7894eab617d8a70d0c97da76b905de9efb7128ad7085", - "sha256:3520667fda779eb788ea00080124875be18f2d8f0848ec00733c0ec3bb8219fc", - "sha256:3c4129fc3fdc0fa8e40861b5ac0c673315b3c902bbdc05fc176764815b43dd1d", - "sha256:3fa3a7ccf96e826affdf1a0a9432be74dc73423125c8f96a909e3835a5ef194a", - "sha256:5b0fbfae7ff7febdb74b574055c7466da334a5371f253732d7e2e7525d570498", - "sha256:695104a9223a7239d155d7627ad912953b540929ef97ae0c34c7b8bf30857e89", - "sha256:8695456444f277af73a4877db9fc979849cd3ee74c198d04fc0776ebc3db52b9", - "sha256:94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c", - "sha256:94fff993ee9bc1b2440d3b7243d488c6a3d9724cc2b09cdb297f6a886d040ef7", - "sha256:9965c46c674ba8cc572bc09a03f4c649292ee73e1b683adb1ce81e82e9a6a0fb", - "sha256:a00cf305f07b26c351d8d4e1af84ad7501eca8a342dedf24a7acb0e7b7406e14", - "sha256:a305600e7a6b7b855cd798e00278161b681ad6e9b7eca94c721d5f588ab212af", - "sha256:cd65b60cfe004790c795cc35f272e41a3df4631e2fb6b35aa7ac6ef2859d554e", - "sha256:d2a6e5ef66503da51d2110edf6c403dc6b494cc0082f85db12f54e9c5d4c3ec5", - "sha256:d9ec0e67a14f9d1d48dd87a2531009a9b251c02ea42851c060b25c782516ff06", - "sha256:f44d141b8c4ea5eb4dbc9b3ad992d45580c1d22bf5e24363f2fbf50c2d7ae8a7" + "sha256:07bb7fbfb5de0980590ddfc7f13081520def06dc9ed214000ad4372fb4e3c7f6", + "sha256:18d90f4711bf63e2fb21e8c8e51ed8189438e6b35a6d996201ebd98a26abbbe6", + "sha256:1ed82abf16df40a60942a8c211251ae72858b25b7421ce2497c2eb7a1cee817c", + "sha256:22a38e96118a4ce3b97509443feace1d1011d0571fae81fc3ad35f25ba3ea999", + "sha256:2d69645f535f4b2c722cfb07a8eab916265545b3475fdb34e0be2f4ee8b0b15e", + "sha256:4a2d0e0acc20ede0f06ef7aa58546eee96d2592c00f450c9acb89c5879b61992", + "sha256:54b2605e5475944e2213258e0ab8696f4f357a31371e538ef21e8d61c843c28d", + "sha256:7075b304cd567694dc692ffc9747f3e9cb393cc4aa4fb7b9f3abd6f5c4e43588", + "sha256:7b7ceeff114c31f285528ba8b390d3e9cfa2da17b56f11d366769a807f17cbaa", + "sha256:7eba2cebca600a7806b893cb1d541a6e910afa87e97acf2021a22b32da1df52d", + "sha256:928185a6d1ccdb816e883f56ebe92e975a262d31cc536429041921f8cb5a62fd", + "sha256:9933f28f70d0517686bd7de36166dda42094eac49415459d9bdf5e7df3e0086d", + "sha256:a688ebcd08250eab5bb5bca318cc05a8c66de5e4171a65ca51db6bd753ff8953", + "sha256:abb5a361d2585bb95012a19ed9b2c8f412c5d723a9836418fab7aaa0243e67d2", + "sha256:c10c797ac89c746e488d2ee92bd4abd593615694ee17b2500578b63cad6b93a8", + "sha256:ced40344e811d6abba00295ced98c01aecf0c2de39481792d87af4fa58b7b4d6", + "sha256:d57e0cdc1b44b6cdf8af1d01807db06886f10177469312fbde8f44ccbb284bc9", + "sha256:d99915d6ab265c22873f1b4d6ea5ef462ef797b4140be4c9d8b179915e0985c6", + "sha256:eb80e8a1f91e4b7ef8b33041591e6d89b2b8e122d787e87eeb2b08da71bb16ad", + "sha256:ebeddd119f526bcf323a89f853afb12e225902a24d29b55fe18dd6fcb2838a76" ], "markers": "python_version >= '3.6'", - "version": "==3.4.8" + "version": "==35.0.0" }, "docutils": { "hashes": [ @@ -276,6 +270,13 @@ "index": "pypi", "version": "==0.3.9" }, + "future": { + "hashes": [ + "sha256:b1bead90b70cf6ec3f0710ae53a525360fa360d306a86583adc6bf83a4db537d" + ], + "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==0.18.2" + }, "gevent": { "hashes": [ "sha256:02d1e8ca227d0ab0b7917fd7e411f9a534475e0a41fb6f434e9264b20155201a", @@ -310,59 +311,59 @@ }, "greenlet": { "hashes": [ - "sha256:04e1849c88aa56584d4a0a6e36af5ec7cc37993fdc1fda72b56aa1394a92ded3", - "sha256:05e72db813c28906cdc59bd0da7c325d9b82aa0b0543014059c34c8c4ad20e16", - "sha256:07e6d88242e09b399682b39f8dfa1e7e6eca66b305de1ff74ed9eb1a7d8e539c", - "sha256:090126004c8ab9cd0787e2acf63d79e80ab41a18f57d6448225bbfcba475034f", - "sha256:1796f2c283faab2b71c67e9b9aefb3f201fdfbee5cb55001f5ffce9125f63a45", - "sha256:2f89d74b4f423e756a018832cd7a0a571e0a31b9ca59323b77ce5f15a437629b", - "sha256:34e6675167a238bede724ee60fe0550709e95adaff6a36bcc97006c365290384", - "sha256:3e594015a2349ec6dcceda9aca29da8dc89e85b56825b7d1f138a3f6bb79dd4c", - "sha256:3f8fc59bc5d64fa41f58b0029794f474223693fd00016b29f4e176b3ee2cfd9f", - "sha256:3fc6a447735749d651d8919da49aab03c434a300e9f0af1c886d560405840fd1", - "sha256:40abb7fec4f6294225d2b5464bb6d9552050ded14a7516588d6f010e7e366dcc", - "sha256:44556302c0ab376e37939fd0058e1f0db2e769580d340fb03b01678d1ff25f68", - "sha256:476ba9435afaead4382fbab8f1882f75e3fb2285c35c9285abb3dd30237f9142", - "sha256:4870b018ca685ff573edd56b93f00a122f279640732bb52ce3a62b73ee5c4a92", - "sha256:4adaf53ace289ced90797d92d767d37e7cdc29f13bd3830c3f0a561277a4ae83", - "sha256:4eae94de9924bbb4d24960185363e614b1b62ff797c23dc3c8a7c75bbb8d187e", - "sha256:5317701c7ce167205c0569c10abc4bd01c7f4cf93f642c39f2ce975fa9b78a3c", - "sha256:5c3b735ccf8fc8048664ee415f8af5a3a018cc92010a0d7195395059b4b39b7d", - "sha256:5cde7ee190196cbdc078511f4df0be367af85636b84d8be32230f4871b960687", - "sha256:655ab836324a473d4cd8cf231a2d6f283ed71ed77037679da554e38e606a7117", - "sha256:6ce9d0784c3c79f3e5c5c9c9517bbb6c7e8aa12372a5ea95197b8a99402aa0e6", - "sha256:6e0696525500bc8aa12eae654095d2260db4dc95d5c35af2b486eae1bf914ccd", - "sha256:75ff270fd05125dce3303e9216ccddc541a9e072d4fc764a9276d44dee87242b", - "sha256:8039f5fe8030c43cd1732d9a234fdcbf4916fcc32e21745ca62e75023e4d4649", - "sha256:84488516639c3c5e5c0e52f311fff94ebc45b56788c2a3bfe9cf8e75670f4de3", - "sha256:84782c80a433d87530ae3f4b9ed58d4a57317d9918dfcc6a59115fa2d8731f2c", - "sha256:8ddb38fb6ad96c2ef7468ff73ba5c6876b63b664eebb2c919c224261ae5e8378", - "sha256:98b491976ed656be9445b79bc57ed21decf08a01aaaf5fdabf07c98c108111f6", - "sha256:990e0f5e64bcbc6bdbd03774ecb72496224d13b664aa03afd1f9b171a3269272", - "sha256:9b02e6039eafd75e029d8c58b7b1f3e450ca563ef1fe21c7e3e40b9936c8d03e", - "sha256:a11b6199a0b9dc868990456a2667167d0ba096c5224f6258e452bfbe5a9742c5", - "sha256:a414f8e14aa7bacfe1578f17c11d977e637d25383b6210587c29210af995ef04", - "sha256:a91ee268f059583176c2c8b012a9fce7e49ca6b333a12bbc2dd01fc1a9783885", - "sha256:ac991947ca6533ada4ce7095f0e28fe25d5b2f3266ad5b983ed4201e61596acf", - "sha256:b050dbb96216db273b56f0e5960959c2b4cb679fe1e58a0c3906fa0a60c00662", - "sha256:b97a807437b81f90f85022a9dcfd527deea38368a3979ccb49d93c9198b2c722", - "sha256:bad269e442f1b7ffa3fa8820b3c3aa66f02a9f9455b5ba2db5a6f9eea96f56de", - "sha256:bf3725d79b1ceb19e83fb1aed44095518c0fcff88fba06a76c0891cfd1f36837", - "sha256:c0f22774cd8294078bdf7392ac73cf00bfa1e5e0ed644bd064fdabc5f2a2f481", - "sha256:c1862f9f1031b1dee3ff00f1027fcd098ffc82120f43041fe67804b464bbd8a7", - "sha256:c8d4ed48eed7414ccb2aaaecbc733ed2a84c299714eae3f0f48db085342d5629", - "sha256:cf31e894dabb077a35bbe6963285d4515a387ff657bd25b0530c7168e48f167f", - "sha256:d15cb6f8706678dc47fb4e4f8b339937b04eda48a0af1cca95f180db552e7663", - "sha256:dfcb5a4056e161307d103bc013478892cfd919f1262c2bb8703220adcb986362", - "sha256:e02780da03f84a671bb4205c5968c120f18df081236d7b5462b380fd4f0b497b", - "sha256:e2002a59453858c7f3404690ae80f10c924a39f45f6095f18a985a1234c37334", - "sha256:e22a82d2b416d9227a500c6860cf13e74060cf10e7daf6695cbf4e6a94e0eee4", - "sha256:e41f72f225192d5d4df81dad2974a8943b0f2d664a2a5cfccdf5a01506f5523c", - "sha256:f253dad38605486a4590f9368ecbace95865fea0f2b66615d121ac91fd1a1563", - "sha256:fddfb31aa2ac550b938d952bca8a87f1db0f8dc930ffa14ce05b5c08d27e7fd1" + "sha256:00e44c8afdbe5467e4f7b5851be223be68adb4272f44696ee71fe46b7036a711", + "sha256:013d61294b6cd8fe3242932c1c5e36e5d1db2c8afb58606c5a67efce62c1f5fd", + "sha256:049fe7579230e44daef03a259faa24511d10ebfa44f69411d99e6a184fe68073", + "sha256:14d4f3cd4e8b524ae9b8aa567858beed70c392fdec26dbdb0a8a418392e71708", + "sha256:166eac03e48784a6a6e0e5f041cfebb1ab400b394db188c48b3a84737f505b67", + "sha256:17ff94e7a83aa8671a25bf5b59326ec26da379ace2ebc4411d690d80a7fbcf23", + "sha256:1e12bdc622676ce47ae9abbf455c189e442afdde8818d9da983085df6312e7a1", + "sha256:21915eb821a6b3d9d8eefdaf57d6c345b970ad722f856cd71739493ce003ad08", + "sha256:288c6a76705dc54fba69fbcb59904ae4ad768b4c768839b8ca5fdadec6dd8cfd", + "sha256:32ca72bbc673adbcfecb935bb3fb1b74e663d10a4b241aaa2f5a75fe1d1f90aa", + "sha256:356b3576ad078c89a6107caa9c50cc14e98e3a6c4874a37c3e0273e4baf33de8", + "sha256:40b951f601af999a8bf2ce8c71e8aaa4e8c6f78ff8afae7b808aae2dc50d4c40", + "sha256:572e1787d1460da79590bf44304abbc0a2da944ea64ec549188fa84d89bba7ab", + "sha256:58df5c2a0e293bf665a51f8a100d3e9956febfbf1d9aaf8c0677cf70218910c6", + "sha256:64e6175c2e53195278d7388c454e0b30997573f3f4bd63697f88d855f7a6a1fc", + "sha256:7227b47e73dedaa513cdebb98469705ef0d66eb5a1250144468e9c3097d6b59b", + "sha256:7418b6bfc7fe3331541b84bb2141c9baf1ec7132a7ecd9f375912eca810e714e", + "sha256:7cbd7574ce8e138bda9df4efc6bf2ab8572c9aff640d8ecfece1b006b68da963", + "sha256:7ff61ff178250f9bb3cd89752df0f1dd0e27316a8bd1465351652b1b4a4cdfd3", + "sha256:833e1551925ed51e6b44c800e71e77dacd7e49181fdc9ac9a0bf3714d515785d", + "sha256:8639cadfda96737427330a094476d4c7a56ac03de7265622fcf4cfe57c8ae18d", + "sha256:8c790abda465726cfb8bb08bd4ca9a5d0a7bd77c7ac1ca1b839ad823b948ea28", + "sha256:8d2f1fb53a421b410751887eb4ff21386d119ef9cde3797bf5e7ed49fb51a3b3", + "sha256:903bbd302a2378f984aef528f76d4c9b1748f318fe1294961c072bdc7f2ffa3e", + "sha256:93f81b134a165cc17123626ab8da2e30c0455441d4ab5576eed73a64c025b25c", + "sha256:95e69877983ea39b7303570fa6760f81a3eec23d0e3ab2021b7144b94d06202d", + "sha256:9633b3034d3d901f0a46b7939f8c4d64427dfba6bbc5a36b1a67364cf148a1b0", + "sha256:97e5306482182170ade15c4b0d8386ded995a07d7cc2ca8f27958d34d6736497", + "sha256:9f3cba480d3deb69f6ee2c1825060177a22c7826431458c697df88e6aeb3caee", + "sha256:aa5b467f15e78b82257319aebc78dd2915e4c1436c3c0d1ad6f53e47ba6e2713", + "sha256:abb7a75ed8b968f3061327c433a0fbd17b729947b400747c334a9c29a9af6c58", + "sha256:aec52725173bd3a7b56fe91bc56eccb26fbdff1386ef123abb63c84c5b43b63a", + "sha256:b11548073a2213d950c3f671aa88e6f83cda6e2fb97a8b6317b1b5b33d850e06", + "sha256:b1692f7d6bc45e3200844be0dba153612103db241691088626a33ff1f24a0d88", + "sha256:b92e29e58bef6d9cfd340c72b04d74c4b4e9f70c9fa7c78b674d1fec18896dc4", + "sha256:be5f425ff1f5f4b3c1e33ad64ab994eed12fc284a6ea71c5243fd564502ecbe5", + "sha256:dd0b1e9e891f69e7675ba5c92e28b90eaa045f6ab134ffe70b52e948aa175b3c", + "sha256:e30f5ea4ae2346e62cedde8794a56858a67b878dd79f7df76a0767e356b1744a", + "sha256:e6a36bb9474218c7a5b27ae476035497a6990e21d04c279884eb10d9b290f1b1", + "sha256:e859fcb4cbe93504ea18008d1df98dee4f7766db66c435e4882ab35cf70cac43", + "sha256:eb6ea6da4c787111adf40f697b4e58732ee0942b5d3bd8f435277643329ba627", + "sha256:ec8c433b3ab0419100bd45b47c9c8551248a5aee30ca5e9d399a0b57ac04651b", + "sha256:eff9d20417ff9dcb0d25e2defc2574d10b491bf2e693b4e491914738b7908168", + "sha256:f0214eb2a23b85528310dad848ad2ac58e735612929c8072f6093f3585fd342d", + "sha256:f276df9830dba7a333544bd41070e8175762a7ac20350786b322b714b0e654f5", + "sha256:f3acda1924472472ddd60c29e5b9db0cec629fbe3c5c5accb74d6d6d14773478", + "sha256:f70a9e237bb792c7cc7e44c531fd48f5897961701cdaa06cf22fc14965c496cf", + "sha256:f9d29ca8a77117315101425ec7ec2a47a22ccf59f5593378fc4077ac5b754fce", + "sha256:fa877ca7f6b48054f847b61d6fa7bed5cebb663ebc55e018fda12db09dcc664c", + "sha256:fdcec0b8399108577ec290f55551d926d9a1fa6cad45882093a7a07ac5ec147b" ], "markers": "platform_python_implementation == 'CPython'", - "version": "==1.1.1" + "version": "==1.1.2" }, "httpagentparser": { "hashes": [ @@ -585,6 +586,13 @@ "index": "pypi", "version": "==0.11.0" }, + "pefile": { + "hashes": [ + "sha256:344a49e40a94e10849f0fe34dddc80f773a12b40675bf2f7be4b8be578bdd94a" + ], + "markers": "python_version >= '3.6'", + "version": "==2021.9.3" + }, "policyuniverse": { "hashes": [ "sha256:184f854fc716754ff07cd9f601923d1ce30a6826617e7c2b252abebe76746b6d", @@ -793,6 +801,15 @@ ], "version": "==3.12.0" }, + "pyreadline": { + "hashes": [ + "sha256:4530592fc2e85b25b1a9f79664433da09237c1a270e4d78ea5aa3a2c7229e2d1", + "sha256:65540c21bfe14405a3a77e4c085ecfce88724743a4ead47c66b84defcf82c32e", + "sha256:9ce5fa65b8992dfa373bddc5b6e0864ead8f291c94fbfec05fbd5c836162e67b" + ], + "markers": "python_version < '3.8' and sys_platform == 'win32'", + "version": "==2.1" + }, "pyrsistent": { "hashes": [ "sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2", @@ -835,6 +852,29 @@ ], "version": "==2021.1" }, + "pywin32": { + "hashes": [ + "sha256:595d397df65f1b2e0beaca63a883ae6d8b6df1cdea85c16ae85f6d2e648133fe", + "sha256:87604a4087434cd814ad8973bd47d6524bd1fa9e971ce428e76b62a5e0860fdf", + "sha256:88981dd3cfb07432625b180f49bf4e179fb8cbb5704cd512e38dd63636af7a17", + "sha256:8c9d33968aa7fcddf44e47750e18f3d034c3e443a707688a008a2e52bbef7e96", + "sha256:93367c96e3a76dfe5003d8291ae16454ca7d84bb24d721e0b74a07610b7be4a7", + "sha256:9635df6998a70282bd36e7ac2a5cef9ead1627b0a63b17c731312c7a0daebb72", + "sha256:98f62a3f60aa64894a290fb7494bfa0bfa0a199e9e052e1ac293b2ad3cd2818b", + "sha256:c866f04a182a8cb9b7855de065113bbd2e40524f570db73ef1ee99ff0a5cc2f0", + "sha256:dafa18e95bf2a92f298fe9c582b0e205aca45c55f989937c52c454ce65b93c78", + "sha256:fb3b4933e0382ba49305cc6cd3fb18525df7fd96aa434de19ce0878133bf8e4a" + ], + "markers": "python_version < '3.10' and sys_platform == 'win32' and implementation_name == 'cpython'", + "version": "==301" + }, + "pywin32-ctypes": { + "hashes": [ + "sha256:24ffc3b341d457d48e8922352130cf2644024a4ff09762a2261fd34c36ee5942", + "sha256:9dc2d991b3479cc2df15930958b674a48a227d5361d413827a4cfd0b5876fc98" + ], + "version": "==0.2.0" + }, "pyyaml": { "hashes": [ "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf", @@ -880,10 +920,10 @@ }, "ring": { "hashes": [ - "sha256:f0853e3645a255ecf26291283afd520834ba50d2e0a1d44d930e5bdb944001c4" + "sha256:b077ec88c2dc179514a8e1fccd37fb1d5a6d2688891bb6e1ed9c33c4970e5424" ], "index": "pypi", - "version": "==0.9.0" + "version": "==0.9.1" }, "rsa": { "hashes": [ @@ -905,58 +945,6 @@ "git": "https://github.com/guardicode/ScoutSuite", "ref": "eac33ac5b0a84e4a2e29682cf3568271eb595003" }, - "simplejson": { - "hashes": [ - "sha256:065230b9659ac38c8021fa512802562d122afb0cf8d4b89e257014dcddb5730a", - "sha256:07707ba69324eaf58f0c6f59d289acc3e0ed9ec528dae5b0d4219c0d6da27dc5", - "sha256:10defa88dd10a0a4763f16c1b5504e96ae6dc68953cfe5fc572b4a8fcaf9409b", - "sha256:140eb58809f24d843736edb8080b220417e22c82ac07a3dfa473f57e78216b5f", - "sha256:188f2c78a8ac1eb7a70a4b2b7b9ad11f52181044957bf981fb3e399c719e30ee", - "sha256:1c2688365743b0f190392e674af5e313ebe9d621813d15f9332e874b7c1f2d04", - "sha256:24e413bd845bd17d4d72063d64e053898543fb7abc81afeae13e5c43cef9c171", - "sha256:2b59acd09b02da97728d0bae8ff48876d7efcbbb08e569c55e2d0c2e018324f5", - "sha256:2df15814529a4625ea6f7b354a083609b3944c269b954ece0d0e7455872e1b2a", - "sha256:352c11582aa1e49a2f0f7f7d8fd5ec5311da890d1354287e83c63ab6af857cf5", - "sha256:36b08b886027eac67e7a0e822e3a5bf419429efad7612e69501669d6252a21f2", - "sha256:376023f51edaf7290332dacfb055bc00ce864cb013c0338d0dea48731f37e42f", - "sha256:3ba82f8b421886f4a2311c43fb98faaf36c581976192349fef2a89ed0fcdbdef", - "sha256:3d72aa9e73134dacd049a2d6f9bd219f7be9c004d03d52395831611d66cedb71", - "sha256:40ece8fa730d1a947bff792bcc7824bd02d3ce6105432798e9a04a360c8c07b0", - "sha256:417b7e119d66085dc45bdd563dcb2c575ee10a3b1c492dd3502a029448d4be1c", - "sha256:42b7c7264229860fe879be961877f7466d9f7173bd6427b3ba98144a031d49fb", - "sha256:457d9cfe7ece1571770381edccdad7fc255b12cd7b5b813219441146d4f47595", - "sha256:4a6943816e10028eeed512ea03be52b54ea83108b408d1049b999f58a760089b", - "sha256:5b94df70bd34a3b946c0eb272022fb0f8a9eb27cad76e7f313fedbee2ebe4317", - "sha256:5f5051a13e7d53430a990604b532c9124253c5f348857e2d5106d45fc8533860", - "sha256:5f7f53b1edd4b23fb112b89208377480c0bcee45d43a03ffacf30f3290e0ed85", - "sha256:5fe8c6dcb9e6f7066bdc07d3c410a2fca78c0d0b4e0e72510ffd20a60a20eb8e", - "sha256:71a54815ec0212b0cba23adc1b2a731bdd2df7b9e4432718b2ed20e8aaf7f01a", - "sha256:7332f7b06d42153255f7bfeb10266141c08d48cc1a022a35473c95238ff2aebc", - "sha256:78c6f0ed72b440ebe1892d273c1e5f91e55e6861bea611d3b904e673152a7a4c", - "sha256:7c9b30a2524ae6983b708f12741a31fbc2fb8d6fecd0b6c8584a62fd59f59e09", - "sha256:86fcffc06f1125cb443e2bed812805739d64ceb78597ac3c1b2d439471a09717", - "sha256:87572213965fd8a4fb7a97f837221e01d8fddcfb558363c671b8aa93477fb6a2", - "sha256:8e595de17178dd3bbeb2c5b8ea97536341c63b7278639cb8ee2681a84c0ef037", - "sha256:917f01db71d5e720b731effa3ff4a2c702a1b6dacad9bcdc580d86a018dfc3ca", - "sha256:91cfb43fb91ff6d1e4258be04eee84b51a4ef40a28d899679b9ea2556322fb50", - "sha256:aa86cfdeb118795875855589934013e32895715ec2d9e8eb7a59be3e7e07a7e1", - "sha256:ade09aa3c284d11f39640aebdcbb748e1996f0c60504f8c4a0c5a9fec821e67a", - "sha256:b2a5688606dffbe95e1347a05b77eb90489fe337edde888e23bbb7fd81b0d93b", - "sha256:b92fbc2bc549c5045c8233d954f3260ccf99e0f3ec9edfd2372b74b350917752", - "sha256:c2d5334d935af711f6d6dfeec2d34e071cdf73ec0df8e8bd35ac435b26d8da97", - "sha256:cb0afc3bad49eb89a579103616574a54b523856d20fc539a4f7a513a0a8ba4b2", - "sha256:ce66f730031b9b3683b2fc6ad4160a18db86557c004c3d490a29bf8d450d7ab9", - "sha256:e29b9cea4216ec130df85d8c36efb9985fda1c9039e4706fb30e0fb6a67602ff", - "sha256:e2cc4b68e59319e3de778325e34fbff487bfdb2225530e89995402989898d681", - "sha256:e90d2e219c3dce1500dda95f5b893c293c4d53c4e330c968afbd4e7a90ff4a5b", - "sha256:f13c48cc4363829bdfecc0c181b6ddf28008931de54908a492dc8ccd0066cd60", - "sha256:f550730d18edec4ff9d4252784b62adfe885d4542946b6d5a54c8a6521b56afd", - "sha256:fa843ee0d34c7193f5a816e79df8142faff851549cab31e84b526f04878ac778", - "sha256:fe1c33f78d2060719d52ea9459d97d7ae3a5b707ec02548575c4fbed1d1d345b" - ], - "markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==3.17.5" - }, "six": { "hashes": [ "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", @@ -971,20 +959,6 @@ ], "version": "==1.7.0" }, - "stix2": { - "hashes": [ - "sha256:b9b2200e5c429a0a49d67c8902638d2f97df2ba4321e15dde067c5cb80c9e8e1" - ], - "index": "pypi", - "version": "==3.0.0" - }, - "stix2-patterns": { - "hashes": [ - "sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4", - "sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992" - ], - "version": "==1.3.2" - }, "tempora": { "hashes": [ "sha256:c54da0f05405f04eb67abbb1dff4448fd91428b58cb00f0f645ea36f6a927950", @@ -1012,11 +986,11 @@ }, "urllib3": { "hashes": [ - "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", - "sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f" + "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece", + "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", - "version": "==1.26.6" + "version": "==1.26.7" }, "werkzeug": { "hashes": [ @@ -1041,11 +1015,11 @@ }, "zipp": { "hashes": [ - "sha256:957cfda87797e389580cb8b9e3870841ca991e2125350677b2ca83a0e99390a3", - "sha256:f5812b1e007e48cff63449a5e9f4e7ebea716b4111f9c4f9a645f91d579bf0c4" + "sha256:71c644c5369f4a6e07636f0aa966270449561fcea2e3d6747b8d23efaa9d7832", + "sha256:9fe5ea21568a0a70e50f273397638d39b03353731e6cbbb3fd8502a33fec40bc" ], "markers": "python_version >= '3.6'", - "version": "==3.5.0" + "version": "==3.6.0" }, "zope.event": { "hashes": [ @@ -1120,6 +1094,14 @@ ], "version": "==1.4.4" }, + "atomicwrites": { + "hashes": [ + "sha256:6d1784dea7c0c8d4a5172b6c620f40b6e4cbfdf96d783691f2e1302a7b88e197", + "sha256:ae70396ad1a434f9c7046fd2dd196fc04b12f9e91ffb859164193be8b6168a7a" + ], + "markers": "sys_platform == 'win32'", + "version": "==1.4.0" + }, "attrs": { "hashes": [ "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", @@ -1166,6 +1148,14 @@ "markers": "python_version >= '3.6'", "version": "==8.0.1" }, + "colorama": { + "hashes": [ + "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff", + "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1" + ], + "markers": "platform_system == 'Windows' and sys_platform == 'win32' and platform_system == 'Windows'", + "version": "==0.4.3" + }, "coverage": { "hashes": [ "sha256:004d1880bed2d97151facef49f08e255a20ceb6f9432df75f4eef018fdd5a78c", @@ -1240,10 +1230,11 @@ }, "filelock": { "hashes": [ - "sha256:18d82244ee114f543149c66a6e0c14e9c4f8a1044b5cdaadd0f82159d6a6ff59", - "sha256:929b7d63ec5b7d6b71b0fa5ac14e030b3f70b75747cef1b10da9b879fef15836" + "sha256:61a99e9b12b47b685d1389f4cf969c1eba0efd2348a8471f86e01e8c622267af", + "sha256:85ecb30757aa19d06bfcdad29cc332b9a3e4851bf59976aea1e8dadcbd9ef883" ], - "version": "==3.0.12" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==3.2.0" }, "flake8": { "hashes": [ @@ -1323,11 +1314,11 @@ }, "platformdirs": { "hashes": [ - "sha256:15b056538719b1c94bdaccb29e5f81879c7f7f0f4a153f46086d155dffcd4f0f", - "sha256:8003ac87717ae2c7ee1ea5a84a1a61e87f3fbd16eb5aadba194ea30a9019f648" + "sha256:367a5e80b3d04d2428ffa76d33f124cf11e8fff2acdaa9b43d545f5c7d661ef2", + "sha256:8868bbe3c3c80d42f20156f22e7131d2fb321f5bc86a2a345375c6481a67021d" ], "markers": "python_version >= '3.6'", - "version": "==2.3.0" + "version": "==2.4.0" }, "pluggy": { "hashes": [ @@ -1387,49 +1378,49 @@ }, "regex": { "hashes": [ - "sha256:04f6b9749e335bb0d2f68c707f23bb1773c3fb6ecd10edf0f04df12a8920d468", - "sha256:08d74bfaa4c7731b8dac0a992c63673a2782758f7cfad34cf9c1b9184f911354", - "sha256:0fc1f8f06977c2d4f5e3d3f0d4a08089be783973fc6b6e278bde01f0544ff308", - "sha256:121f4b3185feaade3f85f70294aef3f777199e9b5c0c0245c774ae884b110a2d", - "sha256:1413b5022ed6ac0d504ba425ef02549a57d0f4276de58e3ab7e82437892704fc", - "sha256:1743345e30917e8c574f273f51679c294effba6ad372db1967852f12c76759d8", - "sha256:28fc475f560d8f67cc8767b94db4c9440210f6958495aeae70fac8faec631797", - "sha256:31a99a4796bf5aefc8351e98507b09e1b09115574f7c9dbb9cf2111f7220d2e2", - "sha256:328a1fad67445550b982caa2a2a850da5989fd6595e858f02d04636e7f8b0b13", - "sha256:473858730ef6d6ff7f7d5f19452184cd0caa062a20047f6d6f3e135a4648865d", - "sha256:4cde065ab33bcaab774d84096fae266d9301d1a2f5519d7bd58fc55274afbf7a", - "sha256:5f6a808044faae658f546dd5f525e921de9fa409de7a5570865467f03a626fc0", - "sha256:610b690b406653c84b7cb6091facb3033500ee81089867ee7d59e675f9ca2b73", - "sha256:66256b6391c057305e5ae9209941ef63c33a476b73772ca967d4a2df70520ec1", - "sha256:6eebf512aa90751d5ef6a7c2ac9d60113f32e86e5687326a50d7686e309f66ed", - "sha256:79aef6b5cd41feff359acaf98e040844613ff5298d0d19c455b3d9ae0bc8c35a", - "sha256:808ee5834e06f57978da3e003ad9d6292de69d2bf6263662a1a8ae30788e080b", - "sha256:8e44769068d33e0ea6ccdf4b84d80c5afffe5207aa4d1881a629cf0ef3ec398f", - "sha256:999ad08220467b6ad4bd3dd34e65329dd5d0df9b31e47106105e407954965256", - "sha256:9b006628fe43aa69259ec04ca258d88ed19b64791693df59c422b607b6ece8bb", - "sha256:9d05ad5367c90814099000442b2125535e9d77581855b9bee8780f1b41f2b1a2", - "sha256:a577a21de2ef8059b58f79ff76a4da81c45a75fe0bfb09bc8b7bb4293fa18983", - "sha256:a617593aeacc7a691cc4af4a4410031654f2909053bd8c8e7db837f179a630eb", - "sha256:abb48494d88e8a82601af905143e0de838c776c1241d92021e9256d5515b3645", - "sha256:ac88856a8cbccfc14f1b2d0b829af354cc1743cb375e7f04251ae73b2af6adf8", - "sha256:b4c220a1fe0d2c622493b0a1fd48f8f991998fb447d3cd368033a4b86cf1127a", - "sha256:b844fb09bd9936ed158ff9df0ab601e2045b316b17aa8b931857365ea8586906", - "sha256:bdc178caebd0f338d57ae445ef8e9b737ddf8fbc3ea187603f65aec5b041248f", - "sha256:c206587c83e795d417ed3adc8453a791f6d36b67c81416676cad053b4104152c", - "sha256:c61dcc1cf9fd165127a2853e2c31eb4fb961a4f26b394ac9fe5669c7a6592892", - "sha256:c7cb4c512d2d3b0870e00fbbac2f291d4b4bf2634d59a31176a87afe2777c6f0", - "sha256:d4a332404baa6665b54e5d283b4262f41f2103c255897084ec8f5487ce7b9e8e", - "sha256:d5111d4c843d80202e62b4fdbb4920db1dcee4f9366d6b03294f45ed7b18b42e", - "sha256:e1e8406b895aba6caa63d9fd1b6b1700d7e4825f78ccb1e5260551d168db38ed", - "sha256:e8690ed94481f219a7a967c118abaf71ccc440f69acd583cab721b90eeedb77c", - "sha256:ed283ab3a01d8b53de3a05bfdf4473ae24e43caee7dcb5584e86f3f3e5ab4374", - "sha256:ed4b50355b066796dacdd1cf538f2ce57275d001838f9b132fab80b75e8c84dd", - "sha256:ee329d0387b5b41a5dddbb6243a21cb7896587a651bebb957e2d2bb8b63c0791", - "sha256:f3bf1bc02bc421047bfec3343729c4bbbea42605bcfd6d6bfe2c07ade8b12d2a", - "sha256:f585cbbeecb35f35609edccb95efd95a3e35824cd7752b586503f7e6087303f1", - "sha256:f60667673ff9c249709160529ab39667d1ae9fd38634e006bec95611f632e759" + "sha256:0de8ad66b08c3e673b61981b9e3626f8784d5564f8c3928e2ad408c0eb5ac38c", + "sha256:1f1125bc5172ab3a049bc6f4b9c0aae95a2a2001a77e6d6e4239fa3653e202b5", + "sha256:255791523f80ea8e48e79af7120b4697ef3b74f6886995dcdb08c41f8e516be0", + "sha256:28040e89a04b60d579c69095c509a4f6a1a5379cd865258e3a186b7105de72c6", + "sha256:37868075eda024470bd0feab872c692ac4ee29db1e14baec103257bf6cc64346", + "sha256:3b71213ec3bad9a5a02e049f2ec86b3d7c3e350129ae0f4e2f99c12b5da919ed", + "sha256:3be40f720af170a6b20ddd2ad7904c58b13d2b56f6734ee5d09bbdeed2fa4816", + "sha256:42952d325439ef223e4e9db7ee6d9087b5c68c5c15b1f9de68e990837682fc7b", + "sha256:470f2c882f2672d8eeda8ab27992aec277c067d280b52541357e1acd7e606dae", + "sha256:4907fb0f9b9309a5bded72343e675a252c2589a41871874feace9a05a540241e", + "sha256:4d87459ad3ab40cd8493774f8a454b2e490d8e729e7e402a0625867a983e4e02", + "sha256:4fa7ba9ab2eba7284e0d7d94f61df7af86015b0398e123331362270d71fab0b9", + "sha256:5b34d2335d6aedec7dcadd3f8283b9682fadad8b9b008da8788d2fce76125ebe", + "sha256:6348a7ab2a502cbdd0b7fd0496d614007489adb7361956b38044d1d588e66e04", + "sha256:638e98d069b14113e8afba6a54d1ca123f712c0d105e67c1f9211b2a825ef926", + "sha256:66696c8336a1b5d1182464f3af3427cc760118f26d0b09a2ddc16a976a4d2637", + "sha256:78cf6a1e023caf5e9a982f5377414e1aeac55198831b852835732cfd0a0ca5ff", + "sha256:81e125d9ba54c34579e4539a967e976a3c56150796674aec318b1b2f49251be7", + "sha256:81fdc90f999b2147fc62e303440c424c47e5573a9b615ed5d43a5b832efcca9e", + "sha256:87e9c489aa98f50f367fb26cc9c8908d668e9228d327644d7aa568d47e456f47", + "sha256:8c1ad61fa024195136a6b7b89538030bd00df15f90ac177ca278df9b2386c96f", + "sha256:9910869c472e5a6728680ca357b5846546cbbd2ab3ad5bef986ef0bc438d0aa6", + "sha256:9925985be05d54b3d25fd6c1ea8e50ff1f7c2744c75bdc4d3b45c790afa2bcb3", + "sha256:9a0b0db6b49da7fa37ca8eddf9f40a8dbc599bad43e64f452284f37b6c34d91c", + "sha256:9c065d95a514a06b92a5026766d72ac91bfabf581adb5b29bc5c91d4b3ee9b83", + "sha256:a6f08187136f11e430638c2c66e1db091105d7c2e9902489f0dbc69b44c222b4", + "sha256:ad0517df22a97f1da20d8f1c8cb71a5d1997fa383326b81f9cf22c9dadfbdf34", + "sha256:b345ecde37c86dd7084c62954468a4a655fd2d24fd9b237949dd07a4d0dd6f4c", + "sha256:b55442650f541d195a535ccec33078c78a9521973fb960923da7515e9ed78fa6", + "sha256:c2b180ed30856dfa70cfe927b0fd38e6b68198a03039abdbeb1f2029758d87e7", + "sha256:c9e30838df7bfd20db6466fd309d9b580d32855f8e2c2e6d74cf9da27dcd9b63", + "sha256:cae4099031d80703954c39680323dabd87a69b21262303160776aa0e55970ca0", + "sha256:ce7b1cca6c23f19bee8dc40228d9c314d86d1e51996b86f924aca302fc8f8bf9", + "sha256:d0861e7f6325e821d5c40514c551fd538b292f8cc3960086e73491b9c5d8291d", + "sha256:d331f238a7accfbbe1c4cd1ba610d4c087b206353539331e32a8f05345c74aec", + "sha256:e07049cece3462c626d650e8bf42ddbca3abf4aa08155002c28cb6d9a5a281e2", + "sha256:e2cb7d4909ed16ed35729d38af585673f1f0833e73dfdf0c18e5be0061107b99", + "sha256:e3770781353a4886b68ef10cec31c1f61e8e3a0be5f213c2bb15a86efd999bc4", + "sha256:e502f8d4e5ef714bcc2c94d499684890c94239526d61fdf1096547db91ca6aa6", + "sha256:e6f2d2f93001801296fe3ca86515eb04915472b5380d4d8752f09f25f0b9b0ed", + "sha256:f588209d3e4797882cd238195c175290dbc501973b10a581086b5c6bcd095ffb" ], - "version": "==2021.8.28" + "version": "==2021.9.30" }, "requests": { "hashes": [ @@ -1515,19 +1506,19 @@ }, "urllib3": { "hashes": [ - "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", - "sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f" + "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece", + "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", - "version": "==1.26.6" + "version": "==1.26.7" }, "virtualenv": { "hashes": [ - "sha256:4da4ac43888e97de9cf4fdd870f48ed864bbfd133d2c46cbdec941fed4a25aef", - "sha256:a4b987ec31c3c9996cf1bc865332f967fe4a0512c41b39652d6224f696e69da5" + "sha256:10062e34c204b5e4ec5f62e6ef2473f8ba76513a9a617e873f1f8fb4a519d300", + "sha256:bcc17f0b3a29670dd777d6f0755a4c04f28815395bca279cdcb213b97199a6b8" ], "index": "pypi", - "version": "==20.8.0" + "version": "==20.8.1" }, "vulture": { "hashes": [ @@ -1539,11 +1530,11 @@ }, "zipp": { "hashes": [ - "sha256:957cfda87797e389580cb8b9e3870841ca991e2125350677b2ca83a0e99390a3", - "sha256:f5812b1e007e48cff63449a5e9f4e7ebea716b4111f9c4f9a645f91d579bf0c4" + "sha256:71c644c5369f4a6e07636f0aa966270449561fcea2e3d6747b8d23efaa9d7832", + "sha256:9fe5ea21568a0a70e50f273397638d39b03353731e6cbbb3fd8502a33fec40bc" ], "markers": "python_version >= '3.6'", - "version": "==3.5.0" + "version": "==3.6.0" } } } diff --git a/monkey/monkey_island/cc/models/attack/__init__.py b/monkey/monkey_island/cc/models/attack/__init__.py index e69de29bb..692107917 100644 --- a/monkey/monkey_island/cc/models/attack/__init__.py +++ b/monkey/monkey_island/cc/models/attack/__init__.py @@ -0,0 +1 @@ +from monkey_island.cc.models.attack.mitigation import Mitigation diff --git a/monkey/monkey_island/cc/models/attack/attack_mitigations.py b/monkey/monkey_island/cc/models/attack/attack_mitigations.py index 9d09aae5a..9c7964863 100644 --- a/monkey/monkey_island/cc/models/attack/attack_mitigations.py +++ b/monkey/monkey_island/cc/models/attack/attack_mitigations.py @@ -1,12 +1,9 @@ -from typing import Dict - from mongoengine import Document, DoesNotExist, EmbeddedDocumentField, ListField, StringField -from stix2 import AttackPattern, CourseOfAction - -from monkey_island.cc.models.attack.mitigation import Mitigation -from monkey_island.cc.services.attack.mitre_api_interface import MitreApiInterface +# Note: This model is duplicated in +# deployment_scripts/dump_attack_mitigations/attack_mitigations.py. If the schema changes here, it +# will also need to be changed there. class AttackMitigations(Document): COLLECTION_NAME = "attack_mitigations" @@ -19,32 +16,3 @@ class AttackMitigations(Document): return AttackMitigations.objects.get(technique_id=technique_id) except DoesNotExist: raise Exception("Attack technique with id {} does not exist!".format(technique_id)) - - def add_mitigation(self, mitigation: CourseOfAction): - mitigation_external_ref_id = MitreApiInterface.get_stix2_external_reference_id(mitigation) - if mitigation_external_ref_id.startswith("M"): - self.mitigations.append(Mitigation.get_from_stix2_data(mitigation)) - - def add_no_mitigations_info(self, mitigation: CourseOfAction): - mitigation_external_ref_id = MitreApiInterface.get_stix2_external_reference_id(mitigation) - if mitigation_external_ref_id.startswith("T") and len(self.mitigations) == 0: - mitigation_mongo_object = Mitigation.get_from_stix2_data(mitigation) - mitigation_mongo_object["description"] = mitigation_mongo_object[ - "description" - ].splitlines()[0] - mitigation_mongo_object["url"] = "" - self.mitigations.append(mitigation_mongo_object) - - @staticmethod - def mitigations_from_attack_pattern(attack_pattern: AttackPattern): - return AttackMitigations( - technique_id=MitreApiInterface.get_stix2_external_reference_id(attack_pattern), - mitigations=[], - ) - - @staticmethod - def dict_from_stix2_attack_patterns(stix2_dict: Dict[str, AttackPattern]): - return { - key: AttackMitigations.mitigations_from_attack_pattern(attack_pattern) - for key, attack_pattern in stix2_dict.items() - } diff --git a/monkey/monkey_island/cc/models/attack/mitigation.py b/monkey/monkey_island/cc/models/attack/mitigation.py index 8a0a1f019..aadc9f48c 100644 --- a/monkey/monkey_island/cc/models/attack/mitigation.py +++ b/monkey/monkey_island/cc/models/attack/mitigation.py @@ -1,17 +1,10 @@ from mongoengine import EmbeddedDocument, StringField -from stix2 import CourseOfAction - -from monkey_island.cc.services.attack.mitre_api_interface import MitreApiInterface +# Note: This model is duplicated in +# deployment_scripts/dump_attack_mitigations/attack_mitigations.py. If the schema changes here, it +# will also need to be changed there. class Mitigation(EmbeddedDocument): name = StringField(required=True) description = StringField(required=True) url = StringField() - - @staticmethod - def get_from_stix2_data(mitigation: CourseOfAction): - name = mitigation["name"] - description = mitigation["description"] - url = MitreApiInterface.get_stix2_external_reference_url(mitigation) - return Mitigation(name=name, description=description, url=url) diff --git a/monkey/monkey_island/cc/services/attack/attack_data b/monkey/monkey_island/cc/services/attack/attack_data deleted file mode 160000 index fb8942b1a..000000000 --- a/monkey/monkey_island/cc/services/attack/attack_data +++ /dev/null @@ -1 +0,0 @@ -Subproject commit fb8942b1a10f4e734ed75542f2ccae7cbd72c46d diff --git a/monkey/monkey_island/cc/services/attack/mitre_api_interface.py b/monkey/monkey_island/cc/services/attack/mitre_api_interface.py deleted file mode 100644 index 596f4d498..000000000 --- a/monkey/monkey_island/cc/services/attack/mitre_api_interface.py +++ /dev/null @@ -1,52 +0,0 @@ -import os -from typing import Dict, List - -from stix2 import AttackPattern, CourseOfAction, FileSystemSource, Filter - -from monkey_island.cc.server_utils.consts import MONKEY_ISLAND_ABS_PATH - - -class MitreApiInterface: - ATTACK_DATA_PATH = os.path.join( - MONKEY_ISLAND_ABS_PATH, "cc", "services", "attack", "attack_data", "enterprise-attack" - ) - - @staticmethod - def get_all_mitigations() -> Dict[str, CourseOfAction]: - file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH) - mitigation_filter = [Filter("type", "=", "course-of-action")] - all_mitigations = file_system.query(mitigation_filter) - all_mitigations = {mitigation["id"]: mitigation for mitigation in all_mitigations} - return all_mitigations - - @staticmethod - def get_all_attack_techniques() -> Dict[str, AttackPattern]: - file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH) - technique_filter = [Filter("type", "=", "attack-pattern")] - all_techniques = file_system.query(technique_filter) - all_techniques = {technique["id"]: technique for technique in all_techniques} - return all_techniques - - @staticmethod - def get_technique_and_mitigation_relationships() -> List[CourseOfAction]: - file_system = FileSystemSource(MitreApiInterface.ATTACK_DATA_PATH) - technique_filter = [ - Filter("type", "=", "relationship"), - Filter("relationship_type", "=", "mitigates"), - ] - all_techniques = file_system.query(technique_filter) - return all_techniques - - @staticmethod - def get_stix2_external_reference_id(stix2_data) -> str: - for reference in stix2_data["external_references"]: - if reference["source_name"] == "mitre-attack" and "external_id" in reference: - return reference["external_id"] - return "" - - @staticmethod - def get_stix2_external_reference_url(stix2_data) -> str: - for reference in stix2_data["external_references"]: - if "url" in reference: - return reference["url"] - return "" diff --git a/monkey/monkey_island/cc/setup/mongo/attack_mitigations.json b/monkey/monkey_island/cc/setup/mongo/attack_mitigations.json new file mode 100644 index 000000000..373b55caa --- /dev/null +++ b/monkey/monkey_island/cc/setup/mongo/attack_mitigations.json @@ -0,0 +1 @@ +{"metadata":{"timestamp": "1632960960.3763978", "commit_hash": "fb8942b1a", "origin_url": "https://github.com/guardicore/cti.git"},"data":[{"_id": "T1205", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1053", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1118", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1176", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Limit Software Installation", "description": "Block users or groups from installing unapproved software.", "url": "https://attack.mitre.org/mitigations/M1033"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1139", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1160", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1156", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1093", "mitigations": [{"name": "Process Hollowing Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. ", "url": ""}]}, {"_id": "T1180", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1120", "mitigations": [{"name": "Peripheral Device Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1181", "mitigations": [{"name": "Extra Window Memory Injection Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1070", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1124", "mitigations": [{"name": "System Time Discovery Mitigation", "description": "Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.", "url": ""}]}, {"_id": "T1105", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1221", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1100", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1117", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1203", "mitigations": [{"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1102", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1001", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1085", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1003", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Credential Access Protection", "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", "url": "https://attack.mitre.org/mitigations/M1043"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}]}, {"_id": "T1179", "mitigations": [{"name": "Hooking Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all hooking will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1097", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1045", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}]}, {"_id": "T1042", "mitigations": [{"name": "Change Default File Association Mitigation", "description": "Direct mitigation of this technique is not recommended since it is a legitimate function that can be performed by users for software preferences. Follow Microsoft's best practices for file associations. (Citation: MSDN File Associations)", "url": ""}]}, {"_id": "T1090", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1052", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1216", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1502", "mitigations": []}, {"_id": "T1063", "mitigations": [{"name": "Security Software Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about local security software, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1094", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1083", "mitigations": [{"name": "File and Directory Discovery Mitigation", "description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1055", "mitigations": [{"name": "Behavior Prevention on Endpoint", "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", "url": "https://attack.mitre.org/mitigations/M1040"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1487", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1157", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1060", "mitigations": [{"name": "Registry Run Keys / Startup Folder Mitigation", "description": "Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1054", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1530", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1081", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1534", "mitigations": []}, {"_id": "T1010", "mitigations": [{"name": "Application Window Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1178", "mitigations": [{"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}]}, {"_id": "T1044", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1147", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1504", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1048", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1087", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1007", "mitigations": [{"name": "System Service Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1096", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1194", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}]}, {"_id": "T1154", "mitigations": [{"name": "Trap Mitigation", "description": "Due to potential legitimate uses of trap commands, it's may be difficult to mitigate use of this technique.", "url": ""}]}, {"_id": "T1199", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}]}, {"_id": "T1062", "mitigations": [{"name": "Hypervisor Mitigation", "description": "Prevent adversary access to privileged accounts necessary to install a hypervisor.", "url": ""}]}, {"_id": "T1136", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1188", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1175", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1500", "mitigations": [{"name": "Compile After Delivery Mitigation", "description": "This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1088", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1153", "mitigations": [{"name": "Source Mitigation", "description": "Due to potential legitimate uses of source commands, it's may be difficult to mitigate use of this technique.", "url": ""}]}, {"_id": "T1149", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1219", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1012", "mitigations": [{"name": "Query Registry Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1531", "mitigations": []}, {"_id": "T1031", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1018", "mitigations": [{"name": "Remote System Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1187", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1193", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}]}, {"_id": "T1223", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1162", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1519", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1167", "mitigations": []}, {"_id": "T1071", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1078", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Application Developer Guidance", "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", "url": "https://attack.mitre.org/mitigations/M1013"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1074", "mitigations": [{"name": "Data Staged Mitigation", "description": "Identify system utilities, remote access or third-party tools, users or potentially malicious software that may be used to store compressed or encrypted data in a publicly writeable directory, central location, or commonly used staging directories (e.g. recycle bin) that is indicative of non-standard behavior, and audit and/or block them by using file integrity monitoring tools where appropriate. Consider applying data size limits or blocking file writes of common compression and encryption utilities such as 7zip, RAR, ZIP, or zlib on frequently used staging directories or central locations and monitor attempted violations of those restrictions.", "url": ""}]}, {"_id": "T1490", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1029", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1130", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1184", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1486", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1497", "mitigations": [{"name": "Virtualization/Sandbox Evasion Mitigation", "description": "Mitigation of this technique with preventative controls may impact the adversary's decision process depending on what they're looking for, how they use the information, and what their objectives are. Since it may be difficult to mitigate all aspects of information that could be gathered, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.", "url": ""}]}, {"_id": "T1529", "mitigations": []}, {"_id": "T1131", "mitigations": [{"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}]}, {"_id": "T1493", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1059", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1165", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1121", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1539", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1103", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1192", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1098", "mitigations": [{"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1152", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1128", "mitigations": [{"name": "Netsh Helper DLL Mitigation", "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by Windows utilities like AppLocker. (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker)", "url": ""}]}, {"_id": "T1073", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}]}, {"_id": "T1067", "mitigations": [{"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1183", "mitigations": [{"name": "Image File Execution Options Injection Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all IFEO will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. (Citation: Microsoft IFEOorMalware July 2015) Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1140", "mitigations": [{"name": "Deobfuscate/Decode Files or Information Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1168", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1146", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Environment Variable Permissions", "description": "Prevent modification of environment variables by unauthorized users and groups.", "url": "https://attack.mitre.org/mitigations/M1039"}]}, {"_id": "T1030", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1217", "mitigations": [{"name": "Browser Bookmark Discovery Mitigation", "description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. For example, mitigating accesses to browser bookmark files will likely have unintended side effects such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1190", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}]}, {"_id": "T1049", "mitigations": [{"name": "System Network Connections Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about network connections, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1514", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1172", "mitigations": [{"name": "SSL/TLS Inspection", "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "url": "https://attack.mitre.org/mitigations/M1020"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1518", "mitigations": []}, {"_id": "T1528", "mitigations": [{"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1056", "mitigations": [{"name": "Input Capture Mitigation", "description": "Identify and block potentially malicious software that may be used to acquire credentials or information from the user by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1111", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1159", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1024", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1201", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1014", "mitigations": [{"name": "Rootkit Mitigation", "description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1021", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1215", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1189", "mitigations": [{"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1492", "mitigations": [{"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1142", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1115", "mitigations": [{"name": "Clipboard Data Mitigation", "description": "Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1046", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1119", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}]}, {"_id": "T1170", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1214", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1212", "mitigations": [{"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1125", "mitigations": [{"name": "Video Capture Mitigation", "description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.", "url": ""}]}, {"_id": "T1538", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1035", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1016", "mitigations": [{"name": "System Network Configuration Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about a system's network configuration, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1161", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1019", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1186", "mitigations": [{"name": "Process Doppelg\u00e4nging Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", "url": ""}]}, {"_id": "T1057", "mitigations": [{"name": "Process Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1069", "mitigations": [{"name": "Permission Groups Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1197", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1134", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1091", "mitigations": [{"name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "url": "https://attack.mitre.org/mitigations/M1034"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1013", "mitigations": [{"name": "Port Monitors Mitigation", "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.", "url": ""}]}, {"_id": "T1171", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1133", "mitigations": [{"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1076", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1122", "mitigations": [{"name": "Component Object Model Hijacking Mitigation", "description": "Direct mitigation of this technique may not be recommended for a particular environment since COM objects are a legitimate part of the operating system and installed software. Blocking COM object changes may have unforeseen side effects to legitimate functionality.", "url": ""}]}, {"_id": "T1164", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1494", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1210", "mitigations": [{"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}]}, {"_id": "T1033", "mitigations": [{"name": "System Owner/User Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1505", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1047", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1008", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1034", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1135", "mitigations": [{"name": "Network Share Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire network share information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1483", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}]}, {"_id": "T1009", "mitigations": [{"name": "Binary Padding Mitigation", "description": "Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1195", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "url": "https://attack.mitre.org/mitigations/M1016"}]}, {"_id": "T1211", "mitigations": [{"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1099", "mitigations": [{"name": "Timestomp Mitigation", "description": "Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1143", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1222", "mitigations": [{"name": "File Permissions Modification Mitigation", "description": "This type of technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.", "url": ""}]}, {"_id": "T1039", "mitigations": [{"name": "Data from Network Shared Drive Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1173", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Behavior Prevention on Endpoint", "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", "url": "https://attack.mitre.org/mitigations/M1040"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}, {"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1075", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}]}, {"_id": "T1491", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1174", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1209", "mitigations": [{"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1525", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1107", "mitigations": [{"name": "File Deletion Mitigation", "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1032", "mitigations": [{"name": "SSL/TLS Inspection", "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", "url": "https://attack.mitre.org/mitigations/M1020"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1086", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1527", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}]}, {"_id": "T1126", "mitigations": [{"name": "Network Share Connection Removal Mitigation", "description": "Follow best practices for mitigation of activity related to establishing [Windows Admin Shares](https://attack.mitre.org/techniques/T1077). ", "url": ""}]}, {"_id": "T1058", "mitigations": [{"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1158", "mitigations": [{"name": "Hidden Files and Directories Mitigation", "description": "Mitigation of this technique may be difficult and unadvised due to the the legitimate use of hidden files and directories.", "url": ""}]}, {"_id": "T1072", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Remote Data Storage", "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", "url": "https://attack.mitre.org/mitigations/M1029"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Active Directory Configuration", "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", "url": "https://attack.mitre.org/mitigations/M1015"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1068", "mitigations": [{"name": "Threat Intelligence Program", "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", "url": "https://attack.mitre.org/mitigations/M1019"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1482", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1017", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1155", "mitigations": [{"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1092", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1123", "mitigations": [{"name": "Audio Capture Mitigation", "description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.", "url": ""}]}, {"_id": "T1489", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1526", "mitigations": []}, {"_id": "T1200", "mitigations": [{"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "url": "https://attack.mitre.org/mitigations/M1034"}]}, {"_id": "T1501", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Limit Software Installation", "description": "Block users or groups from installing unapproved software.", "url": "https://attack.mitre.org/mitigations/M1033"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1145", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1220", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1041", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1011", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1169", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1077", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1484", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1522", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1020", "mitigations": [{"name": "Automated Exfiltration Mitigation", "description": "Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1050", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1198", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1150", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1132", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1108", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1503", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}]}, {"_id": "T1028", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1043", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}]}, {"_id": "T1218", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1006", "mitigations": [{"name": "File System Logical Offsets Mitigation", "description": "Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1064", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Application Isolation and Sandboxing", "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", "url": "https://attack.mitre.org/mitigations/M1048"}]}, {"_id": "T1166", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}]}, {"_id": "T1191", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}]}, {"_id": "T1177", "mitigations": [{"name": "Credential Access Protection", "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", "url": "https://attack.mitre.org/mitigations/M1043"}, {"name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "url": "https://attack.mitre.org/mitigations/M1044"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}]}, {"_id": "T1095", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1213", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1163", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1204", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}, {"name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "url": "https://attack.mitre.org/mitigations/M1021"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1114", "mitigations": [{"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}]}, {"_id": "T1113", "mitigations": [{"name": "Screen Capture Mitigation", "description": "Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1015", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1110", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}, {"name": "Account Use Policies", "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", "url": "https://attack.mitre.org/mitigations/M1036"}]}, {"_id": "T1036", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "url": "https://attack.mitre.org/mitigations/M1045"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1127", "mitigations": [{"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1148", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Environment Variable Permissions", "description": "Prevent modification of environment variables by unauthorized users and groups.", "url": "https://attack.mitre.org/mitigations/M1039"}]}, {"_id": "T1196", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1079", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1038", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}, {"name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "url": "https://attack.mitre.org/mitigations/M1047"}, {"name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "url": "https://attack.mitre.org/mitigations/M1044"}]}, {"_id": "T1040", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", "url": "https://attack.mitre.org/mitigations/M1032"}]}, {"_id": "T1080", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "url": "https://attack.mitre.org/mitigations/M1050"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1084", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1137", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}, {"name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "url": "https://attack.mitre.org/mitigations/M1042"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1537", "mitigations": [{"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1144", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1027", "mitigations": [{"name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software.", "url": "https://attack.mitre.org/mitigations/M1049"}]}, {"_id": "T1536", "mitigations": []}, {"_id": "T1480", "mitigations": [{"name": "Do Not Mitigate", "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", "url": "https://attack.mitre.org/mitigations/M1055"}]}, {"_id": "T1104", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1535", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1151", "mitigations": [{"name": "Space after Filename Mitigation", "description": "Prevent files from having a trailing space after the extension.", "url": ""}]}, {"_id": "T1495", "mitigations": [{"name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "url": "https://attack.mitre.org/mitigations/M1046"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}]}, {"_id": "T1202", "mitigations": [{"name": "Indirect Command Execution Mitigation", "description": "Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities and file types/locations used to invoke malicious execution.(Citation: SpectorOPs SettingContent-ms Jun 2018)", "url": ""}]}, {"_id": "T1082", "mitigations": [{"name": "System Information Discovery Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1496", "mitigations": [{"name": "Resource Hijacking Mitigation", "description": "Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1037", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}, {"_id": "T1022", "mitigations": [{"name": "Data Encrypted Mitigation", "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1004", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1206", "mitigations": [{"name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "url": "https://attack.mitre.org/mitigations/M1028"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1005", "mitigations": [{"name": "Data from Local System Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1129", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1061", "mitigations": [{"name": "Graphical User Interface Mitigation", "description": "Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.", "url": ""}]}, {"_id": "T1002", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1065", "mitigations": [{"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1089", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1485", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1112", "mitigations": [{"name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "url": "https://attack.mitre.org/mitigations/M1024"}]}, {"_id": "T1499", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1185", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1101", "mitigations": [{"name": "Privileged Process Integrity", "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", "url": "https://attack.mitre.org/mitigations/M1025"}]}, {"_id": "T1182", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1109", "mitigations": [{"name": "Component Firmware Mitigation", "description": "Prevent adversary access to privileged accounts or access necessary to perform this technique.", "url": ""}]}, {"_id": "T1488", "mitigations": [{"name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", "url": "https://attack.mitre.org/mitigations/M1053"}]}, {"_id": "T1026", "mitigations": [{"name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries.", "url": "https://attack.mitre.org/mitigations/M1031"}]}, {"_id": "T1207", "mitigations": [{"name": "DCShadow Mitigation", "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of AD design features. For example, mitigating specific AD API calls will likely have unintended side effects, such as preventing DC replication from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.", "url": ""}]}, {"_id": "T1506", "mitigations": [{"name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", "url": "https://attack.mitre.org/mitigations/M1054"}]}, {"_id": "T1051", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}, {"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}, {"name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "url": "https://attack.mitre.org/mitigations/M1035"}, {"name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", "url": "https://attack.mitre.org/mitigations/M1030"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1141", "mitigations": [{"name": "User Training", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "url": "https://attack.mitre.org/mitigations/M1017"}]}, {"_id": "T1208", "mitigations": [{"name": "Encrypt Sensitive Information", "description": "Protect sensitive information with strong encryption.", "url": "https://attack.mitre.org/mitigations/M1041"}, {"name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "url": "https://attack.mitre.org/mitigations/M1027"}, {"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}]}, {"_id": "T1023", "mitigations": [{"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1116", "mitigations": [{"name": "Code Signing Mitigation", "description": "Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system. (Citation: NSA MS AppLocker) (Citation: TechNet Trusted Publishers) (Citation: Securelist Digital Certificates)", "url": ""}]}, {"_id": "T1138", "mitigations": [{"name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk.", "url": "https://attack.mitre.org/mitigations/M1051"}, {"name": "User Account Control", "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", "url": "https://attack.mitre.org/mitigations/M1052"}]}, {"_id": "T1106", "mitigations": [{"name": "Execution Prevention", "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", "url": "https://attack.mitre.org/mitigations/M1038"}]}, {"_id": "T1498", "mitigations": [{"name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", "url": "https://attack.mitre.org/mitigations/M1037"}]}, {"_id": "T1025", "mitigations": [{"name": "Data from Removable Media Mitigation", "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "url": ""}]}, {"_id": "T1066", "mitigations": [{"name": "Indicator Removal from Tools Mitigation", "description": "Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.", "url": ""}]}]} diff --git a/monkey/monkey_island/cc/setup/mongo/database_initializer.py b/monkey/monkey_island/cc/setup/mongo/database_initializer.py index 32e3c8486..9a6054ca4 100644 --- a/monkey/monkey_island/cc/setup/mongo/database_initializer.py +++ b/monkey/monkey_island/cc/setup/mongo/database_initializer.py @@ -1,14 +1,25 @@ +import json import logging +from pathlib import Path +from pprint import pformat from pymongo import errors from monkey_island.cc.database import mongo from monkey_island.cc.models.attack.attack_mitigations import AttackMitigations -from monkey_island.cc.services.attack.mitre_api_interface import MitreApiInterface +from monkey_island.cc.server_utils.consts import MONKEY_ISLAND_ABS_PATH from monkey_island.cc.services.database import Database logger = logging.getLogger(__name__) +ATTACK_MITIGATION_PATH = ( + Path(MONKEY_ISLAND_ABS_PATH) + / "cc" + / "setup" + / "mongo" + / f"{AttackMitigations.COLLECTION_NAME}.json" +) + def reset_database(): Database.reset_db() @@ -35,20 +46,13 @@ def _try_store_mitigations_on_mongo(): def _store_mitigations_on_mongo(): - stix2_mitigations = MitreApiInterface.get_all_mitigations() - mongo_mitigations = AttackMitigations.dict_from_stix2_attack_patterns( - MitreApiInterface.get_all_attack_techniques() - ) - mitigation_technique_relationships = ( - MitreApiInterface.get_technique_and_mitigation_relationships() - ) - for relationship in mitigation_technique_relationships: - mongo_mitigations[relationship["target_ref"]].add_mitigation( - stix2_mitigations[relationship["source_ref"]] - ) - for relationship in mitigation_technique_relationships: - mongo_mitigations[relationship["target_ref"]].add_no_mitigations_info( - stix2_mitigations[relationship["source_ref"]] - ) - for key, mongo_object in mongo_mitigations.items(): - mongo_object.save() + try: + with open(ATTACK_MITIGATION_PATH) as f: + attack_mitigations = json.load(f) + + logger.debug(f'Loading attack mitigations data:\n{pformat(attack_mitigations["metadata"])}') + + mongodb_collection = mongo.db[AttackMitigations.COLLECTION_NAME] + mongodb_collection.insert_many(attack_mitigations["data"]) + except json.decoder.JSONDecodeError as e: + raise Exception(f"Invalid attack mitigations {ATTACK_MITIGATION_PATH} file: {e}") diff --git a/monkey/monkey_island/monkey_island.spec b/monkey/monkey_island/monkey_island.spec index 624d08ffa..80335d346 100644 --- a/monkey/monkey_island/monkey_island.spec +++ b/monkey/monkey_island/monkey_island.spec @@ -13,7 +13,7 @@ def main(): # The format of the tuples is (src, dest_dir). See https://pythonhosted.org/PyInstaller/spec-files.html#adding-data-files added_datas = [ ("../common/BUILD", "/common"), - ("../monkey_island/cc/services/attack/attack_data", "/monkey_island/cc/services/attack/attack_data") + ("../monkey_island/cc/setup/mongo/attack_mitigations.json", "/monkey_island/cc/setup/mongo/attack_mitigations.json") ] a = Analysis(['main.py'], diff --git a/monkey/monkey_island/pyinstaller_hooks/hook-stix2.py b/monkey/monkey_island/pyinstaller_hooks/hook-stix2.py deleted file mode 100644 index 785d6a36b..000000000 --- a/monkey/monkey_island/pyinstaller_hooks/hook-stix2.py +++ /dev/null @@ -1,9 +0,0 @@ -# Workaround for packaging Monkey Island using PyInstaller. See -# https://github.com/oasis-open/cti-python-stix2/issues/218 - -import os - -from PyInstaller.utils.hooks import get_module_file_attribute - -stix2_dir = os.path.dirname(get_module_file_attribute("stix2")) -datas = [(stix2_dir, "stix2")] diff --git a/monkey/tests/data_for_tests/mongo_mitigations/attack_mitigations.json b/monkey/tests/data_for_tests/mongo_mitigations/attack_mitigations.json new file mode 100644 index 000000000..274b5ac75 --- /dev/null +++ b/monkey/tests/data_for_tests/mongo_mitigations/attack_mitigations.json @@ -0,0 +1 @@ +{"metadata":{"timestamp": "1632959947.9542503", "commit_hash": "fb8942b1a", "origin_url": "https://github.com/guardicore/cti.git"},"data":[{"_id": "T1066", "mitigations": [{"name": "Indicator Removal from Tools Mitigation", "description": "Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.", "url": ""}]}, {"_id": "T1047", "mitigations": [{"name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "url": "https://attack.mitre.org/mitigations/M1026"}, {"name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "url": "https://attack.mitre.org/mitigations/M1018"}]}, {"_id": "T1156", "mitigations": [{"name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "url": "https://attack.mitre.org/mitigations/M1022"}]}]} diff --git a/monkey/tests/data_for_tests/mongo_mitigations/invalid_mitigation b/monkey/tests/data_for_tests/mongo_mitigations/invalid_mitigation new file mode 100644 index 000000000..3f18637dc --- /dev/null +++ b/monkey/tests/data_for_tests/mongo_mitigations/invalid_mitigation @@ -0,0 +1 @@ +[{"_id": "T1066", "mitigations": [} diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py b/monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py deleted file mode 100644 index f93afc8d5..000000000 --- a/monkey/tests/unit_tests/monkey_island/cc/services/attack/test_mitre_api_interface.py +++ /dev/null @@ -1,14 +0,0 @@ -import pytest - -from monkey_island.cc.services.attack.mitre_api_interface import MitreApiInterface - - -@pytest.mark.slow -def test_get_all_mitigations(): - mitigations = MitreApiInterface.get_all_mitigations() - assert len(mitigations.items()) >= 282 - mitigation = next(iter(mitigations.values())) - assert mitigation["type"] == "course-of-action" - assert mitigation["name"] is not None - assert mitigation["description"] is not None - assert mitigation["external_references"] is not None diff --git a/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py b/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py new file mode 100644 index 000000000..d3ca3fbcc --- /dev/null +++ b/monkey/tests/unit_tests/monkey_island/cc/setup/mongo/test_database_initializer.py @@ -0,0 +1,69 @@ +from unittest.mock import MagicMock + +import mongomock +import pytest + +from monkey_island.cc.setup.mongo.database_initializer import reset_database + + +@pytest.fixture +def patch_attack_mitigations_path(monkeypatch, data_for_tests_dir): + def inner(file_name): + path = data_for_tests_dir / "mongo_mitigations" / file_name + monkeypatch.setattr( + "monkey_island.cc.setup.mongo.database_initializer.ATTACK_MITIGATION_PATH", path + ) + + return inner + + +@pytest.fixture(scope="module", autouse=True) +def patch_dependencies(monkeypatch_session): + monkeypatch_session.setattr( + "monkey_island.cc.services.config.ConfigService.init_config", lambda: None + ) + monkeypatch_session.setattr( + "monkey_island.cc.services.attack.attack_config.AttackConfig.reset_config", lambda: None + ) + monkeypatch_session.setattr( + "monkey_island.cc.services.database.jsonify", MagicMock(return_value=True) + ) + + +@pytest.fixture +def mock_mongo_client(monkeypatch): + mongo = mongomock.MongoClient() + mongo.db.validate_collection = MagicMock(return_value=True) + + monkeypatch.setattr("monkey_island.cc.setup.mongo.database_initializer.mongo", mongo) + monkeypatch.setattr("monkey_island.cc.services.database.mongo", mongo) + + return mongo + + +def test_store_mitigations_on_mongo(patch_attack_mitigations_path, mock_mongo_client): + patch_attack_mitigations_path("attack_mitigations.json") + + reset_database() + + assert len(list(mock_mongo_client.db.attack_mitigations.find({}))) == 3 + + +def test_store_mitigations_on_mongo__invalid_mitigation(patch_attack_mitigations_path): + patch_attack_mitigations_path("invalid_mitigation") + + with pytest.raises(Exception): + reset_database() + + +def test_get_all_mitigations(mock_mongo_client): + reset_database() + + mitigations = list(mock_mongo_client.db.attack_mitigations.find({})) + + assert len(mitigations) >= 266 + + mitigation = mitigations[0]["mitigations"][0] + assert mitigation["name"] is not None + assert mitigation["description"] is not None + assert mitigation["url"] is not None