def mitigation_execution_prevention():
text = (
"Adversaries may use new DLLs to execute this technique. "
"Identify and block potentially malicious software executed through "
"search order hijacking by using application whitelisting solutions "
"capable of blocking DLLs loaded by legitimate software.")
print_mitigation(text)
def mitigation_filter_network_traffic():
text = ("Cloud service providers support IP-based restrictions when "
"accessing cloud resources. Consider using IP whitelisting on cloud-based "
"systems along with user account management to ensure that data access "
"is restricted not only to valid users but only from expected IP ranges "
"to mitigate the use of stolen credentials to access data.")
print_mitigation(text)
def mitigation_execution_prevention():
text = ("Adversaries will likely need to place new binaries in locations "
"to be executed through this weakness. Identify and block potentially "
"malicious software executed path interception by using application "
"whitelisting tools, like Windows Defender Application Control, AppLocker, "
"or Software Restriction Policies where appropriate.")
print_mitigation(text)
def mitigation_user_account_control():
text = (
"Although UAC bypass techniques exist, it is still prudent to use "
"the highest enforcement level for UAC when possible and mitigate bypass "
"opportunities that exist with techniques such as DLL Search Order Hijacking."
)
print_mitigation(text)
def mitigation_user_account_manag():
text = (
"Limit privileges of user accounts and groups so that only authorized "
"administrators can interact with service changes and service binary target path "
"locations. Deny execution from user directories such as file download directories "
"and temp directories where able.")
print_mitigation(text)
def mitigation_active_directory_config():
text = (
"Clean up SID-History attributes after legitimate account "
"migration is complete.\nConsider applying SID Filtering to "
"interforest trusts, such as forest trusts and external trusts, "
"to exclude SID-History from requests to access domain resources. "
"SID Filtering ensures that any authentication requests over a trust "
"only contain SIDs of security principals from the trusted domain (i.e "
"preventing the trusted domain from claiming a user has membership in "
"groups outside of the domain).\n\nSID Filtering of forest trusts is "
"enabled by default, but may have been disabled in some cases to allow "
"a child domain to transitively access forest trusts. SID Filtering of "
"external trusts is automatically enabled on all created external trusts "
"using Server 2003 or later domain controllers. However note that SID "
"Filtering is not automatically applied to legacy trusts or may have been "
"deliberately disabled to allow inter-domain access to resources.\nSID "
"Filtering can be applied by:\n\n- Disabling SIDHistory on forest trusts "
"using the netdom tool (netdom trust /domain: /EnableSIDHistory:no on "
"the domain controller)\n- Applying SID Filter Quarantining to external "
"trusts using the netdom tool (netdom trust /domain: /quarantine:yes "
"on the domain controller)\n- Applying SID Filtering to domain trusts "
"within a single forest is not recommended as it is an unsupported "
"configuration and can cause breaking changes. If a domain within a "
"forest is untrustworthy then it should not be a member of the forest. "
"In this situation it is necessary to first split the trusted and "
"untrusted domains into separate forests where SID Filtering can be "
"applied to an interforest trust.")
print_mitigation(text)
def mitigation_password_policies():
text = ("Applications and appliances that utilize default username and "
"password should be changed immediately after the installation, "
"and before deployment to a production environment. When possible, "
"applications that use SSH keys should be updated periodically and "
"properly secured.")
print_mitigation(text)
def mitigation_audit():
text = (
"Use auditing tools capable of detecting DLL search order "
"hijacking opportunities on systems within an enterprise and correct "
"them. Toolkits like the PowerSploit framework contain PowerUp modules "
"that can be used to explore systems for DLL hijacking weaknesses.")
print_mitigation(text)
def mitigation_multifactor_authentication():
text = ("Integrating multi-factor authentication (MFA) as part of "
"organizational policy can greatly reduce the risk of an adversary gaining "
"control of valid credentials that may be used for additional tactics "
"such as initial access, lateral movement, and collecting information. "
"MFA can also be used to restrict access to cloud resources and APIs.")
print_mitigation(text)
def mitigation_privileged_account_manag():
text = (
"Configure the Increase Scheduling Priority option to only allow "
"the Administrators group the rights to schedule a priority process. "
"This can be can be configured through GPO: Computer Configuration > "
"[Policies] > Windows Settings > Security Settings > Local Policies > "
"User Rights Assignment: Increase scheduling priority.")
print_mitigation(text)
def mitigation_audit():
text = (
"Use auditing tools capable of detecting file system permissions "
"abuse opportunities on systems within an enterprise and correct them. "
"Toolkits like the PowerSploit framework contain PowerUp modules that can "
"be used to explore systems for service file system permissions weaknesses."
)
print_mitigation(text)
def mitigation_execution_prevention():
text = (
"Adversaries can install new AppInit_DLLs binaries to execute this "
"technique. Identify and block potentially malicious software executed "
"through AppInit_DLLs functionality by using application whitelisting tools, "
"like Windows Defender Application Control, AppLocker, or Software Restriction "
"Policies where appropriate.")
print_mitigation(text)
def mitigation_app_isolation():
text = (
"Make it difficult for adversaries to advance their operation through "
"exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. "
"Other types of virtualization and application microsegmentation may also "
"mitigate the impact of some types of exploitation. Risks of additional "
"exploits and weaknesses in these systems may still exist.")
print_mitigation(text)
def mitigation_update_software():
text = (
"Ensure that externally facing Web servers are patched regularly "
"to prevent adversary access through Exploitation for Privilege "
"Escalation to gain remote code access or through file inclusion "
"weaknesses that may allow adversaries to upload files or scripts that "
"are automatically served as Web pages.")
print_mitigation(text)
def mitigation_setuid_setgid():
text = (
"Applications with known vulnerabilities or known shell escapes should not "
"have the setuid or setgid bits set to reduce potential damage if an application "
"is compromised. Additionally, the number of programs with setuid or setgid bits "
"set should be minimized across a system.")
print()
print_mitigation(text)
def mitigation_privil_account():
text = ("Utilize Yama to mitigate ptrace based process injection by "
"restricting the use of ptrace to privileged users only. Other "
"mitigation controls involve the deployment of security kernel "
"modules that provide advanced access control and process restrictions "
"such as SELinux, grsecurity, and AppArmor "
"(https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-limiting-ptrace-on-production-linux-systems.pdf?ver=2019-05-16-151825-133).")
print_mitigation(text)
def mitigation_update_sw():
text = ("Ensure that externally facing Web servers are patched "
"regularly to prevent adversary access through Exploitation for "
"Privilege Escalation to gain remote code access or through file "
"inclusion weaknesses that may allow adversaries to upload files "
"or scripts that are automatically served as Web pages.")
print()
print_mitigation(text)
def mitigation_operating_system_config():
text = (
"To use this technique remotely, an adversary must use it in "
"conjunction with RDP. Ensure that Network Level Authentication is enabled "
"to force the remote desktop session to authenticate before the session is "
"created and the login screen displayed. It is enabled by default on "
"Windows Vista and later.")
print_mitigation(text)
def mitigation_privil_account():
text = (
"Audit account and group permissions to ensure that accounts "
"used to manage servers do not overlap with accounts and permissions "
"of users in the internal network that could be acquired through "
"Credential Access and used to log into the Web server and plant a "
"Web shell or pivot from the Web server into the internal network.")
print_mitigation(text)
def mitigation_user_account_manag():
text = ("Ensure users and user groups have appropriate permissions for their "
"roles through Identity and Access Management (IAM) controls. Configure user "
"permissions, groups, and roles for access to cloud-based systems as well. "
"Implement strict IAM controls to prevent access to systems except for the "
"applications, users, and services that require access. Consider using "
"temporary credentials that are only good for a certain period of time "
"in cloud environments to reduce the effectiveness of compromised accounts.")
print_mitigation(text)
def mitigation_execution_prevention():
text = (
"Adversaries can replace accessibility features binaries with "
"alternate binaries to execute this technique. Identify and block "
"potentially malicious software executed through accessibility features "
"functionality by using application whitelisting tools, like Windows "
"Defender Application Control, AppLocker, or Software Restriction Policies "
"where appropriate.")
print_mitigation(text)
def mitigation_priv_account_manag():
text = ("Audit domain and local accounts as well as their permission "
"levels routinely to look for situations that could allow an adversary "
"to gain wide access by obtaining credentials of a privileged account. "
"These audits should also include if default accounts have been enabled, "
"or if new local accounts are created that have not be authorized. "
"Follow best practices for design and administration of an enterprise "
"network to limit privileged account use across administrative tiers.")
print_mitigation(text)
def mitigation_exploit_protection():
text = ("Security applications that look for behavior used during "
"exploitation such as Windows Defender Exploit Guard (WDEG) and the "
"Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate "
"some exploitation behavior. Control flow integrity checking is another "
"way to potentially identify and stop a software exploit from occurring. "
"Many of these protections depend on the architecture and target "
"application binary for compatibility and may not work for software "
"components targeted for privilege escalation.")
print_mitigation(text)
def mitigation_password_policies():
text = ("Applications and appliances that utilize default username and "
"password should be changed immediately after the installation, and "
"before deployment to a production environment. When possible, "
"applications that use SSH keys should be updated periodically and "
"properly secured. Ensure that local administrator accounts have complex, "
"unique passwords across all systems on the network.\nIn cloud "
"environments, consider rotating access keys within a certain number of "
"days for reducing the effectiveness of stolen credentials.")
print_mitigation(text)
def mitigation_privileged_account_management():
text = (
"Limit permissions so that users and user groups cannot create tokens. "
"This setting should be defined for the local system account only. GPO: Computer "
"Configuration > [Policies] > Windows Settings > Security Settings > Local "
"Policies > User Rights Assignment: Create a token object. Also define who can "
"create a process level token to only the local and network service through GPO: "
"Computer Configuration > [Policies] > Windows Settings > Security Settings "
"> Local Policies > User Rights Assignment: Replace a process level token."
)
print_mitigation(text)
def mitigation_operating_system_configuration():
text = (
"Configure settings for scheduled tasks to force tasks to run "
"under the context of the authenticated account instead of allowing "
"them to run as SYSTEM. The associated Registry key is located at "
"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting "
"can be configured through GPO: Computer Configuration > [Policies] > "
"Windows Settings > Security Settings > Local Policies > Security "
"Options: Domain Controller: Allow server operators to schedule tasks, "
"set to disabled.")
print_mitigation(text)
def mitigation_audit():
text = ("Find and eliminate path interception weaknesses in program "
"configuration files, scripts, the PATH environment variable, services, "
"and in shortcuts by surrounding PATH variables with quotation marks "
"when functions allow for them. Be aware of the search order Windows "
"uses for executing or loading binaries and use fully qualified paths "
"wherever appropriate.\nClean up old Windows Registry keys when software "
"is uninstalled to avoid keys with no associated legitimate binaries. "
"Periodically search for and correct or report path interception "
"weaknesses on systems that may have been introduced using custom or "
"available tools that report software using insecure path configurations.")
print_mitigation(text)
def mitigation_restrict_library_loading():
text = (
"Disallow loading of remote DLLs. This is included by default "
"in Windows Server 2012+ and is available by patch for XP+ and Server 2003+. "
"Path Algorithm Enable Safe DLL Search Mode to force search for system DLLs "
"in directories with greater restrictions (e.g. %SYSTEMROOT%)to be used before "
"local directory DLLs (e.g. a user's home directory). The Safe DLL Search Mode "
"can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative "
"Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode.\n"
"The associated Windows Registry key for this is located at "
"HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode."
)
print_mitigation(text)
def mitigation_user_account_control():
text = (
"Turn off UAC's privilege elevation for standard users "
"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "
"to automatically deny elevation requests, add: 'ConsentPromptBehaviorUser'"
"=dword:00000000. Consider enabling installer detection for all users by "
"adding: 'EnableInstallerDetection'=dword:00000001. This will prompt for "
"a password for installation and also log the attempt. "
"\nTo disable installer detection, instead add: 'EnableInstallerDetection'"
"=dword:00000000. This may prevent potential elevation of privileges through "
"exploitation during the process of UAC detecting the installer, but will "
"allow the installation process to continue without being logged.")
print_mitigation(text)
def mitigation_privileged_account_manag():
text = ("Audit domain and local accounts as well as their permission "
"levels routinely to look for situations that could allow an adversary to "
"gain wide access by obtaining credentials of a privileged account. These "
"audits should also include if default accounts have been enabled, or if "
"new local accounts are created that have not be authorized. Do not put "
"user or admin domain accounts in the local administrator groups across "
"systems unless they are tightly controlled and use of accounts is "
"segmented, as this is often equivalent to having a local administrator "
"account with the same password on all systems. Follow best practices "
"for design and administration of an enterprise network to limit "
"privileged account use across administrative tiers. Limit credential "
"overlap across systems to prevent access if account credentials are obtained.")
print_mitigation(text)
