Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
MITIGATIONS
Enterprise
Restrict Web-Based Content
Mobile
MITIGATIONS
Enterprise
A-C
D-F
G-I
No mitigations
J-L
M-O
P-R
S-U
V-X
Y-Z
No mitigations
Mobile
A-C
D-F
G-I
J-L
M-O
No mitigations
P-R
No mitigations
S-U
V-X
No mitigations
Y-Z
No mitigations
  1. Home
  2. Mitigations
  3. Disable or Remove Feature or Program

Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

ID: M1042
Version: 1.1
Created: 11 June 2019
Last Modified: 31 March 2020

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1098 .004 Account Manipulation: SSH Authorized Keys

Disable SSH if it is not necessary on a host or restrict SSH access for specific users/groups using /etc/ssh/sshd_config.
Enterprise T1547 .007 Boot or Logon Autostart Execution: Re-opened Applications

This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no.
Enterprise T1059 Command and Scripting Interpreter

Disable or remove any unnecessary or unused shells or interpreters.
.001 PowerShell

It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions.

Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.
.005 Visual Basic

Turn off or restrict access to unneeded VB components.
.007 JavaScript/JScript

Turn off or restrict access to unneeded scripting components.
Enterprise T1092 Communication Through Removable Media

Disable Autoruns if it is unnecessary.[1]
Enterprise T1546 .002 Event Triggered Execution: Screensaver

Use Group Policy to disable screensavers if they are unnecessary.[2]
.014 Event Triggered Execution: Emond

Consider disabling emond by removing the Launch Daemon plist file.
Enterprise T1011 .001 Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth

Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment.
Enterprise T1052 Exfiltration Over Physical Medium

Disable Autorun if it is unnecessary. [1] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [3]
.001 Exfiltration over USB

Disable Autorun if it is unnecessary. [1] Disallow or restrict removable media at an organizational policy level if they are not required for business operations. [3]
Enterprise T1210 Exploitation of Remote Services

Minimize available services to only those that are necessary.
Enterprise T1133 External Remote Services

Disable or block remotely available services that may be unnecessary.
Enterprise T1564 .006 Hide Artifacts: Run Virtual Instance

Disable Hyper-V if not necessary within a given environment.
.007 Hide Artifacts: VBA Stomping

Turn off or restrict access to unneeded VB components.[4]
Enterprise T1559 Inter-Process Communication

Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. [5][6][7] Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.[8]
.002 Dynamic Data Exchange

Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. [5][6][7] Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.[8]
Enterprise T1557 Man-in-the-Middle

Disable legacy network protocols that may be used for MiTM if applicable and they are not needed within an environment.
.001 LLMNR/NBT-NS Poisoning and SMB Relay

Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. [9]
.002 ARP Cache Poisoning

Consider disabling updating the ARP cache on gratuitous ARP replies.
Enterprise T1046 Network Service Scanning

Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.
Enterprise T1137 Office Application Startup

Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing.

Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. [10]
.001 Office Template Macros

Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing.

Disable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. [10]
Enterprise T1563 Remote Service Session Hijacking

Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary.
.001 SSH Hijacking

Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. [11]
.002 RDP Hijacking

Disable the RDP service if it is unnecessary.
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Disable the RDP service if it is unnecessary.
.003 Remote Services: Distributed Component Object Model

Consider disabling DCOM through Dcomcnfg.exe.[12]
.004 Remote Services: SSH

Disable the SSH daemon on systems that do not require it.
.005 Remote Services: VNC

Uninstall any VNC server software where not required.
.006 Remote Services: Windows Remote Management

Disable the WinRM service.
Enterprise T1091 Replication Through Removable Media

Disable Autorun if it is unnecessary. [1] Disallow or restrict removable media at an organizational policy level if it is not required for business operations. [3]
Enterprise T1218 Signed Binary Proxy Execution

Many native binaries may not be necessary within a given environment.
.003 CMSTP

CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation).
.004 InstallUtil

InstallUtil may not be necessary within a given environment.
.005 Mshta

Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life.
.009 Regsvcs/Regasm

Regsvcs and Regasm may not be necessary within a given environment.
.008 Odbcconf

Odbcconf.exe may not be necessary within a given environment.
.012 Verclsid

Consider removing verclsid.exe if it is not necessary within a given environment.
Enterprise T1221 Template Injection

Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents [13], though this setting may not mitigate the Forced Authentication use for this technique.
Enterprise T1127 Trusted Developer Utilities Proxy Execution

Specific developer utilities may not be necessary within a given environment and should be removed if not used.
.001 MSBuild

MSBuild.exe may not be necessary within an environment and should be removed if not being used.
Enterprise T1552 .005 Unsecured Credentials: Cloud Instance Metadata API

Disable unnecessary metadata services and restrict or disable insecure versions of metadata services that are in use to prevent adversary access.[14]

References

  1. Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016.
  2. Microsoft. (n.d.). Customizing the Desktop. Retrieved December 5, 2017.
  3. Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.
  4. Microsoft. (2020, January 23). How to turn off Visual Basic for Applications when you deploy Office. Retrieved September 17, 2020.
  5. Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.
  6. Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.
  7. Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018.
  1. Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018.
  2. Metcalf, S. (2016, October 21). Securing Windows Workstations: Developing a Secure Baseline. Retrieved November 17, 2017.
  3. Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved July 3, 2017.
  4. Hatch, B. (2004, November 22). SSH and ssh-agent. Retrieved January 8, 2018.
  5. Microsoft. (n.d.). Enable or Disable DCOM. Retrieved November 22, 2017.
  6. Microsoft. (n.d.). Enable or disable macros in Office files. Retrieved September 13, 2018.
  7. MacCarthaigh, C. (2019, November 19). Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service. Retrieved October 14, 2020.