def mitigation_execution_prevention(): text = ( "Adversaries may use new DLLs to execute this technique. " "Identify and block potentially malicious software executed through " "search order hijacking by using application whitelisting solutions " "capable of blocking DLLs loaded by legitimate software.") print_mitigation(text)
def mitigation_filter_network_traffic(): text = ("Cloud service providers support IP-based restrictions when " "accessing cloud resources. Consider using IP whitelisting on cloud-based " "systems along with user account management to ensure that data access " "is restricted not only to valid users but only from expected IP ranges " "to mitigate the use of stolen credentials to access data.") print_mitigation(text)
def mitigation_execution_prevention(): text = ("Adversaries will likely need to place new binaries in locations " "to be executed through this weakness. Identify and block potentially " "malicious software executed path interception by using application " "whitelisting tools, like Windows Defender Application Control, AppLocker, " "or Software Restriction Policies where appropriate.") print_mitigation(text)
def mitigation_user_account_control(): text = ( "Although UAC bypass techniques exist, it is still prudent to use " "the highest enforcement level for UAC when possible and mitigate bypass " "opportunities that exist with techniques such as DLL Search Order Hijacking." ) print_mitigation(text)
def mitigation_user_account_manag(): text = ( "Limit privileges of user accounts and groups so that only authorized " "administrators can interact with service changes and service binary target path " "locations. Deny execution from user directories such as file download directories " "and temp directories where able.") print_mitigation(text)
def mitigation_active_directory_config(): text = ( "Clean up SID-History attributes after legitimate account " "migration is complete.\nConsider applying SID Filtering to " "interforest trusts, such as forest trusts and external trusts, " "to exclude SID-History from requests to access domain resources. " "SID Filtering ensures that any authentication requests over a trust " "only contain SIDs of security principals from the trusted domain (i.e " "preventing the trusted domain from claiming a user has membership in " "groups outside of the domain).\n\nSID Filtering of forest trusts is " "enabled by default, but may have been disabled in some cases to allow " "a child domain to transitively access forest trusts. SID Filtering of " "external trusts is automatically enabled on all created external trusts " "using Server 2003 or later domain controllers. However note that SID " "Filtering is not automatically applied to legacy trusts or may have been " "deliberately disabled to allow inter-domain access to resources.\nSID " "Filtering can be applied by:\n\n- Disabling SIDHistory on forest trusts " "using the netdom tool (netdom trust /domain: /EnableSIDHistory:no on " "the domain controller)\n- Applying SID Filter Quarantining to external " "trusts using the netdom tool (netdom trust /domain: /quarantine:yes " "on the domain controller)\n- Applying SID Filtering to domain trusts " "within a single forest is not recommended as it is an unsupported " "configuration and can cause breaking changes. If a domain within a " "forest is untrustworthy then it should not be a member of the forest. " "In this situation it is necessary to first split the trusted and " "untrusted domains into separate forests where SID Filtering can be " "applied to an interforest trust.") print_mitigation(text)
def mitigation_password_policies(): text = ("Applications and appliances that utilize default username and " "password should be changed immediately after the installation, " "and before deployment to a production environment. When possible, " "applications that use SSH keys should be updated periodically and " "properly secured.") print_mitigation(text)
def mitigation_audit(): text = ( "Use auditing tools capable of detecting DLL search order " "hijacking opportunities on systems within an enterprise and correct " "them. Toolkits like the PowerSploit framework contain PowerUp modules " "that can be used to explore systems for DLL hijacking weaknesses.") print_mitigation(text)
def mitigation_multifactor_authentication(): text = ("Integrating multi-factor authentication (MFA) as part of " "organizational policy can greatly reduce the risk of an adversary gaining " "control of valid credentials that may be used for additional tactics " "such as initial access, lateral movement, and collecting information. " "MFA can also be used to restrict access to cloud resources and APIs.") print_mitigation(text)
def mitigation_privileged_account_manag(): text = ( "Configure the Increase Scheduling Priority option to only allow " "the Administrators group the rights to schedule a priority process. " "This can be can be configured through GPO: Computer Configuration > " "[Policies] > Windows Settings > Security Settings > Local Policies > " "User Rights Assignment: Increase scheduling priority.") print_mitigation(text)
def mitigation_audit(): text = ( "Use auditing tools capable of detecting file system permissions " "abuse opportunities on systems within an enterprise and correct them. " "Toolkits like the PowerSploit framework contain PowerUp modules that can " "be used to explore systems for service file system permissions weaknesses." ) print_mitigation(text)
def mitigation_execution_prevention(): text = ( "Adversaries can install new AppInit_DLLs binaries to execute this " "technique. Identify and block potentially malicious software executed " "through AppInit_DLLs functionality by using application whitelisting tools, " "like Windows Defender Application Control, AppLocker, or Software Restriction " "Policies where appropriate.") print_mitigation(text)
def mitigation_app_isolation(): text = ( "Make it difficult for adversaries to advance their operation through " "exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. " "Other types of virtualization and application microsegmentation may also " "mitigate the impact of some types of exploitation. Risks of additional " "exploits and weaknesses in these systems may still exist.") print_mitigation(text)
def mitigation_update_software(): text = ( "Ensure that externally facing Web servers are patched regularly " "to prevent adversary access through Exploitation for Privilege " "Escalation to gain remote code access or through file inclusion " "weaknesses that may allow adversaries to upload files or scripts that " "are automatically served as Web pages.") print_mitigation(text)
def mitigation_setuid_setgid(): text = ( "Applications with known vulnerabilities or known shell escapes should not " "have the setuid or setgid bits set to reduce potential damage if an application " "is compromised. Additionally, the number of programs with setuid or setgid bits " "set should be minimized across a system.") print() print_mitigation(text)
def mitigation_privil_account(): text = ("Utilize Yama to mitigate ptrace based process injection by " "restricting the use of ptrace to privileged users only. Other " "mitigation controls involve the deployment of security kernel " "modules that provide advanced access control and process restrictions " "such as SELinux, grsecurity, and AppArmor " "(https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-limiting-ptrace-on-production-linux-systems.pdf?ver=2019-05-16-151825-133).") print_mitigation(text)
def mitigation_update_sw(): text = ("Ensure that externally facing Web servers are patched " "regularly to prevent adversary access through Exploitation for " "Privilege Escalation to gain remote code access or through file " "inclusion weaknesses that may allow adversaries to upload files " "or scripts that are automatically served as Web pages.") print() print_mitigation(text)
def mitigation_operating_system_config(): text = ( "To use this technique remotely, an adversary must use it in " "conjunction with RDP. Ensure that Network Level Authentication is enabled " "to force the remote desktop session to authenticate before the session is " "created and the login screen displayed. It is enabled by default on " "Windows Vista and later.") print_mitigation(text)
def mitigation_privil_account(): text = ( "Audit account and group permissions to ensure that accounts " "used to manage servers do not overlap with accounts and permissions " "of users in the internal network that could be acquired through " "Credential Access and used to log into the Web server and plant a " "Web shell or pivot from the Web server into the internal network.") print_mitigation(text)
def mitigation_user_account_manag(): text = ("Ensure users and user groups have appropriate permissions for their " "roles through Identity and Access Management (IAM) controls. Configure user " "permissions, groups, and roles for access to cloud-based systems as well. " "Implement strict IAM controls to prevent access to systems except for the " "applications, users, and services that require access. Consider using " "temporary credentials that are only good for a certain period of time " "in cloud environments to reduce the effectiveness of compromised accounts.") print_mitigation(text)
def mitigation_execution_prevention(): text = ( "Adversaries can replace accessibility features binaries with " "alternate binaries to execute this technique. Identify and block " "potentially malicious software executed through accessibility features " "functionality by using application whitelisting tools, like Windows " "Defender Application Control, AppLocker, or Software Restriction Policies " "where appropriate.") print_mitigation(text)
def mitigation_priv_account_manag(): text = ("Audit domain and local accounts as well as their permission " "levels routinely to look for situations that could allow an adversary " "to gain wide access by obtaining credentials of a privileged account. " "These audits should also include if default accounts have been enabled, " "or if new local accounts are created that have not be authorized. " "Follow best practices for design and administration of an enterprise " "network to limit privileged account use across administrative tiers.") print_mitigation(text)
def mitigation_exploit_protection(): text = ("Security applications that look for behavior used during " "exploitation such as Windows Defender Exploit Guard (WDEG) and the " "Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate " "some exploitation behavior. Control flow integrity checking is another " "way to potentially identify and stop a software exploit from occurring. " "Many of these protections depend on the architecture and target " "application binary for compatibility and may not work for software " "components targeted for privilege escalation.") print_mitigation(text)
def mitigation_password_policies(): text = ("Applications and appliances that utilize default username and " "password should be changed immediately after the installation, and " "before deployment to a production environment. When possible, " "applications that use SSH keys should be updated periodically and " "properly secured. Ensure that local administrator accounts have complex, " "unique passwords across all systems on the network.\nIn cloud " "environments, consider rotating access keys within a certain number of " "days for reducing the effectiveness of stolen credentials.") print_mitigation(text)
def mitigation_privileged_account_management(): text = ( "Limit permissions so that users and user groups cannot create tokens. " "This setting should be defined for the local system account only. GPO: Computer " "Configuration > [Policies] > Windows Settings > Security Settings > Local " "Policies > User Rights Assignment: Create a token object. Also define who can " "create a process level token to only the local and network service through GPO: " "Computer Configuration > [Policies] > Windows Settings > Security Settings " "> Local Policies > User Rights Assignment: Replace a process level token." ) print_mitigation(text)
def mitigation_operating_system_configuration(): text = ( "Configure settings for scheduled tasks to force tasks to run " "under the context of the authenticated account instead of allowing " "them to run as SYSTEM. The associated Registry key is located at " "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting " "can be configured through GPO: Computer Configuration > [Policies] > " "Windows Settings > Security Settings > Local Policies > Security " "Options: Domain Controller: Allow server operators to schedule tasks, " "set to disabled.") print_mitigation(text)
def mitigation_audit(): text = ("Find and eliminate path interception weaknesses in program " "configuration files, scripts, the PATH environment variable, services, " "and in shortcuts by surrounding PATH variables with quotation marks " "when functions allow for them. Be aware of the search order Windows " "uses for executing or loading binaries and use fully qualified paths " "wherever appropriate.\nClean up old Windows Registry keys when software " "is uninstalled to avoid keys with no associated legitimate binaries. " "Periodically search for and correct or report path interception " "weaknesses on systems that may have been introduced using custom or " "available tools that report software using insecure path configurations.") print_mitigation(text)
def mitigation_restrict_library_loading(): text = ( "Disallow loading of remote DLLs. This is included by default " "in Windows Server 2012+ and is available by patch for XP+ and Server 2003+. " "Path Algorithm Enable Safe DLL Search Mode to force search for system DLLs " "in directories with greater restrictions (e.g. %SYSTEMROOT%)to be used before " "local directory DLLs (e.g. a user's home directory). The Safe DLL Search Mode " "can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative " "Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode.\n" "The associated Windows Registry key for this is located at " "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode." ) print_mitigation(text)
def mitigation_user_account_control(): text = ( "Turn off UAC's privilege elevation for standard users " "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] " "to automatically deny elevation requests, add: 'ConsentPromptBehaviorUser'" "=dword:00000000. Consider enabling installer detection for all users by " "adding: 'EnableInstallerDetection'=dword:00000001. This will prompt for " "a password for installation and also log the attempt. " "\nTo disable installer detection, instead add: 'EnableInstallerDetection'" "=dword:00000000. This may prevent potential elevation of privileges through " "exploitation during the process of UAC detecting the installer, but will " "allow the installation process to continue without being logged.") print_mitigation(text)
def mitigation_privileged_account_manag(): text = ("Audit domain and local accounts as well as their permission " "levels routinely to look for situations that could allow an adversary to " "gain wide access by obtaining credentials of a privileged account. These " "audits should also include if default accounts have been enabled, or if " "new local accounts are created that have not be authorized. Do not put " "user or admin domain accounts in the local administrator groups across " "systems unless they are tightly controlled and use of accounts is " "segmented, as this is often equivalent to having a local administrator " "account with the same password on all systems. Follow best practices " "for design and administration of an enterprise network to limit " "privileged account use across administrative tiers. Limit credential " "overlap across systems to prevent access if account credentials are obtained.") print_mitigation(text)