def mitigation_execution_prevention():
    text = (
        "Adversaries may use new DLLs to execute this technique. "
        "Identify and block potentially malicious software executed through "
        "search order hijacking by using application whitelisting solutions "
        "capable of blocking DLLs loaded by legitimate software.")
    print_mitigation(text)
Exemple #2
0
def mitigation_filter_network_traffic():
    text = ("Cloud service providers support IP-based restrictions when "
    "accessing cloud resources. Consider using IP whitelisting on cloud-based "
    "systems along with user account management to ensure that data access "
    "is restricted not only to valid users but only from expected IP ranges "
    "to mitigate the use of stolen credentials to access data.")
    print_mitigation(text)
Exemple #3
0
def mitigation_execution_prevention():
    text = ("Adversaries will likely need to place new binaries in locations "
    "to be executed through this weakness. Identify and block potentially "
    "malicious software executed path interception by using application "
    "whitelisting tools, like Windows Defender Application Control, AppLocker, "
    "or Software Restriction Policies where appropriate.")
    print_mitigation(text)
def mitigation_user_account_control():
    text = (
        "Although UAC bypass techniques exist, it is still prudent to use "
        "the highest enforcement level for UAC when possible and mitigate bypass "
        "opportunities that exist with techniques such as DLL Search Order Hijacking."
    )
    print_mitigation(text)
def mitigation_user_account_manag():
    text = (
        "Limit privileges of user accounts and groups so that only authorized "
        "administrators can interact with service changes and service binary target path "
        "locations. Deny execution from user directories such as file download directories "
        "and temp directories where able.")
    print_mitigation(text)
Exemple #6
0
def mitigation_active_directory_config():
    text = (
        "Clean up SID-History attributes after legitimate account "
        "migration is complete.\nConsider applying SID Filtering to "
        "interforest trusts, such as forest trusts and external trusts, "
        "to exclude SID-History from requests to access domain resources. "
        "SID Filtering ensures that any authentication requests over a trust "
        "only contain SIDs of security principals from the trusted domain (i.e "
        "preventing the trusted domain from claiming a user has membership in "
        "groups outside of the domain).\n\nSID Filtering of forest trusts is "
        "enabled by default, but may have been disabled in some cases to allow "
        "a child domain to transitively access forest trusts. SID Filtering of "
        "external trusts is automatically enabled on all created external trusts "
        "using Server 2003 or later domain controllers. However note that SID "
        "Filtering is not automatically applied to legacy trusts or may have been "
        "deliberately disabled to allow inter-domain access to resources.\nSID "
        "Filtering can be applied by:\n\n- Disabling SIDHistory on forest trusts "
        "using the netdom tool (netdom trust /domain: /EnableSIDHistory:no on "
        "the domain controller)\n- Applying SID Filter Quarantining to external "
        "trusts using the netdom tool (netdom trust /domain: /quarantine:yes "
        "on the domain controller)\n- Applying SID Filtering to domain trusts "
        "within a single forest is not recommended as it is an unsupported "
        "configuration and can cause breaking changes. If a domain within a "
        "forest is untrustworthy then it should not be a member of the forest. "
        "In this situation it is necessary to first split the trusted and "
        "untrusted domains into separate forests where SID Filtering can be "
        "applied to an interforest trust.")
    print_mitigation(text)
def mitigation_password_policies():
	text = ("Applications and appliances that utilize default username and "
	"password should be changed immediately after the installation, "
	"and before deployment to a production environment. When possible, "
	"applications that use SSH keys should be updated periodically and "
	"properly secured.")
	print_mitigation(text)
def mitigation_audit():
    text = (
        "Use auditing tools capable of detecting DLL search order "
        "hijacking opportunities on systems within an enterprise and correct "
        "them. Toolkits like the PowerSploit framework contain PowerUp modules "
        "that can be used to explore systems for DLL hijacking weaknesses.")
    print_mitigation(text)
Exemple #9
0
def mitigation_multifactor_authentication():
    text = ("Integrating multi-factor authentication (MFA) as part of "
    "organizational policy can greatly reduce the risk of an adversary gaining "
    "control of valid credentials that may be used for additional tactics "
    "such as initial access, lateral movement, and collecting information. "
    "MFA can also be used to restrict access to cloud resources and APIs.")
    print_mitigation(text)
Exemple #10
0
def mitigation_privileged_account_manag():
    text = (
        "Configure the Increase Scheduling Priority option to only allow "
        "the Administrators group the rights to schedule a priority process. "
        "This can be can be configured through GPO: Computer Configuration > "
        "[Policies] > Windows Settings > Security Settings > Local Policies > "
        "User Rights Assignment: Increase scheduling priority.")
    print_mitigation(text)
def mitigation_audit():
    text = (
        "Use auditing tools capable of detecting file system permissions "
        "abuse opportunities on systems within an enterprise and correct them. "
        "Toolkits like the PowerSploit framework contain PowerUp modules that can "
        "be used to explore systems for service file system permissions weaknesses."
    )
    print_mitigation(text)
def mitigation_execution_prevention():
    text = (
        "Adversaries can install new AppInit_DLLs binaries to execute this "
        "technique. Identify and block potentially malicious software executed "
        "through AppInit_DLLs functionality by using application whitelisting tools, "
        "like Windows Defender Application Control, AppLocker, or Software Restriction "
        "Policies where appropriate.")
    print_mitigation(text)
def mitigation_app_isolation():
    text = (
        "Make it difficult for adversaries to advance their operation through "
        "exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. "
        "Other types of virtualization and application microsegmentation may also "
        "mitigate the impact of some types of exploitation. Risks of additional "
        "exploits and weaknesses in these systems may still exist.")
    print_mitigation(text)
Exemple #14
0
def mitigation_update_software():
    text = (
        "Ensure that externally facing Web servers are patched regularly "
        "to prevent adversary access through Exploitation for Privilege "
        "Escalation to gain remote code access or through file inclusion "
        "weaknesses that may allow adversaries to upload files or scripts that "
        "are automatically served as Web pages.")
    print_mitigation(text)
def mitigation_setuid_setgid():
    text = (
        "Applications with known vulnerabilities or known shell escapes should not "
        "have the setuid or setgid bits set to reduce potential damage if an application "
        "is compromised. Additionally, the number of programs with setuid or setgid bits "
        "set should be minimized across a system.")
    print()
    print_mitigation(text)
def mitigation_privil_account():
	text = ("Utilize Yama to mitigate ptrace based process injection by "
	"restricting the use of ptrace to privileged users only. Other "
	"mitigation controls involve the deployment of security kernel "
	"modules that provide advanced access control and process restrictions "
	"such as SELinux, grsecurity, and AppArmor "
	"(https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-limiting-ptrace-on-production-linux-systems.pdf?ver=2019-05-16-151825-133).")
	print_mitigation(text)
def mitigation_update_sw():
    text = ("Ensure that externally facing Web servers are patched "
            "regularly to prevent adversary access through Exploitation for "
            "Privilege Escalation to gain remote code access or through file "
            "inclusion weaknesses that may allow adversaries to upload files "
            "or scripts that are automatically served as Web pages.")
    print()
    print_mitigation(text)
Exemple #18
0
def mitigation_operating_system_config():
    text = (
        "To use this technique remotely, an adversary must use it in "
        "conjunction with RDP. Ensure that Network Level Authentication is enabled "
        "to force the remote desktop session to authenticate before the session is "
        "created and the login screen displayed. It is enabled by default on "
        "Windows Vista and later.")
    print_mitigation(text)
def mitigation_privil_account():
    text = (
        "Audit account and group permissions to ensure that accounts "
        "used to manage servers do not overlap with accounts and permissions "
        "of users in the internal network that could be acquired through "
        "Credential Access and used to log into the Web server and plant a "
        "Web shell or pivot from the Web server into the internal network.")
    print_mitigation(text)
Exemple #20
0
def mitigation_user_account_manag():
    text = ("Ensure users and user groups have appropriate permissions for their "
    "roles through Identity and Access Management (IAM) controls. Configure user "
    "permissions, groups, and roles for access to cloud-based systems as well. "
    "Implement strict IAM controls to prevent access to systems except for the "
    "applications, users, and services that require access. Consider using "
    "temporary credentials that are only good for a certain period of time "
    "in cloud environments to reduce the effectiveness of compromised accounts.")
    print_mitigation(text)
Exemple #21
0
def mitigation_execution_prevention():
    text = (
        "Adversaries can replace accessibility features binaries with "
        "alternate binaries to execute this technique. Identify and block "
        "potentially malicious software executed through accessibility features "
        "functionality by using application whitelisting tools, like Windows "
        "Defender Application Control, AppLocker, or Software Restriction Policies "
        "where appropriate.")
    print_mitigation(text)
def mitigation_priv_account_manag():
	text = ("Audit domain and local accounts as well as their permission "
	"levels routinely to look for situations that could allow an adversary "
	"to gain wide access by obtaining credentials of a privileged account. "
	"These audits should also include if default accounts have been enabled, "
	"or if new local accounts are created that have not be authorized. "
	"Follow best practices for design and administration of an enterprise "
	"network to limit privileged account use across administrative tiers.")
	print_mitigation(text)
Exemple #23
0
def mitigation_exploit_protection():
    text = ("Security applications that look for behavior used during "
    "exploitation such as Windows Defender Exploit Guard (WDEG) and the "
    "Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate "
    "some exploitation behavior. Control flow integrity checking is another "
    "way to potentially identify and stop a software exploit from occurring. "
    "Many of these protections depend on the architecture and target "
    "application binary for compatibility and may not work for software "
    "components targeted for privilege escalation.")
    print_mitigation(text)
Exemple #24
0
def mitigation_password_policies():
    text = ("Applications and appliances that utilize default username and "
    "password should be changed immediately after the installation, and "
    "before deployment to a production environment. When possible, "
    "applications that use SSH keys should be updated periodically and "
    "properly secured. Ensure that local administrator accounts have complex, "
    "unique passwords across all systems on the network.\nIn cloud "
    "environments, consider rotating access keys within a certain number of "
    "days for reducing the effectiveness of stolen credentials.")
    print_mitigation(text)
def mitigation_privileged_account_management():
    text = (
        "Limit permissions so that users and user groups cannot create tokens. "
        "This setting should be defined for the local system account only. GPO: Computer "
        "Configuration > [Policies] > Windows Settings > Security Settings > Local "
        "Policies > User Rights Assignment: Create a token object. Also define who can "
        "create a process level token to only the local and network service through GPO: "
        "Computer Configuration > [Policies] > Windows Settings > Security Settings "
        "> Local Policies > User Rights Assignment: Replace a process level token."
    )
    print_mitigation(text)
Exemple #26
0
def mitigation_operating_system_configuration():
    text = (
        "Configure settings for scheduled tasks to force tasks to run "
        "under the context of the authenticated account instead of allowing "
        "them to run as SYSTEM. The associated Registry key is located at "
        "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting "
        "can be configured through GPO: Computer Configuration > [Policies] > "
        "Windows Settings > Security Settings > Local Policies > Security "
        "Options: Domain Controller: Allow server operators to schedule tasks, "
        "set to disabled.")
    print_mitigation(text)
Exemple #27
0
def mitigation_audit():
    text = ("Find and eliminate path interception weaknesses in program "
    "configuration files, scripts, the PATH environment variable, services, "
    "and in shortcuts by surrounding PATH variables with quotation marks "
    "when functions allow for them. Be aware of the search order Windows "
    "uses for executing or loading binaries and use fully qualified paths "
    "wherever appropriate.\nClean up old Windows Registry keys when software "
    "is uninstalled to avoid keys with no associated legitimate binaries. "
    "Periodically search for and correct or report path interception "
    "weaknesses on systems that may have been introduced using custom or "
    "available tools that report software using insecure path configurations.")
    print_mitigation(text)
def mitigation_restrict_library_loading():
    text = (
        "Disallow loading of remote DLLs. This is included by default "
        "in Windows Server 2012+ and is available by patch for XP+ and Server 2003+. "
        "Path Algorithm Enable Safe DLL Search Mode to force search for system DLLs "
        "in directories with greater restrictions (e.g. %SYSTEMROOT%)to be used before "
        "local directory DLLs (e.g. a user's home directory). The Safe DLL Search Mode "
        "can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative "
        "Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode.\n"
        "The associated Windows Registry key for this is located at "
        "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode."
    )
    print_mitigation(text)
def mitigation_user_account_control():
    text = (
        "Turn off UAC's privilege elevation for standard users "
        "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "
        "to automatically deny elevation requests, add: 'ConsentPromptBehaviorUser'"
        "=dword:00000000. Consider enabling installer detection for all users by "
        "adding: 'EnableInstallerDetection'=dword:00000001. This will prompt for "
        "a password for installation and also log the attempt. "
        "\nTo disable installer detection, instead add: 'EnableInstallerDetection'"
        "=dword:00000000. This may prevent potential elevation of privileges through "
        "exploitation during the process of UAC detecting the installer, but will "
        "allow the installation process to continue without being logged.")
    print_mitigation(text)
Exemple #30
0
def mitigation_privileged_account_manag():
    text = ("Audit domain and local accounts as well as their permission "
    "levels routinely to look for situations that could allow an adversary to "
    "gain wide access by obtaining credentials of a privileged account. These "
    "audits should also include if default accounts have been enabled, or if "
    "new local accounts are created that have not be authorized. Do not put "
    "user or admin domain accounts in the local administrator groups across "
    "systems unless they are tightly controlled and use of accounts is "
    "segmented, as this is often equivalent to having a local administrator "
    "account with the same password on all systems. Follow best practices "
    "for design and administration of an enterprise network to limit "
    "privileged account use across administrative tiers. Limit credential "
    "overlap across systems to prevent access if account credentials are obtained.")
    print_mitigation(text)