<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Network Intrusion Prevention, Mitigation M1031 - Enterprise | MITRE ATT&CK&reg;</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body> <!--stopindex--> <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent"> <!--start-indexing-for-search--> <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical"> <!--stop-indexing-for-search--> <div class="group-nav-desktop-view"> <span class="heading" id="v-home-tab" aria-selected="false">MITIGATIONS</span> <div class="sidenav"> <div class="sidenav-head " id="enterprise"> <a href="/versions/v9/mitigations/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Account Use Policies"> <a href="/versions/v9/mitigations/M1036/"> Account Use Policies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Active Directory Configuration"> <a href="/versions/v9/mitigations/M1015/"> Active Directory Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Antivirus/Antimalware"> <a href="/versions/v9/mitigations/M1049/"> Antivirus/Antimalware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Application Developer Guidance"> <a href="/versions/v9/mitigations/M1013/"> Application Developer Guidance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Application Isolation and Sandboxing"> <a href="/versions/v9/mitigations/M1048/"> Application Isolation and Sandboxing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Audit"> <a href="/versions/v9/mitigations/M1047/"> Audit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Behavior Prevention on Endpoint"> <a href="/versions/v9/mitigations/M1040/"> Behavior Prevention on Endpoint </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Boot Integrity"> <a href="/versions/v9/mitigations/M1046/"> Boot Integrity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Code Signing"> <a href="/versions/v9/mitigations/M1045/"> Code Signing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Credential Access Protection"> <a href="/versions/v9/mitigations/M1043/"> Credential Access Protection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Data Backup"> <a href="/versions/v9/mitigations/M1053/"> Data Backup </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Disable or Remove Feature or Program"> <a href="/versions/v9/mitigations/M1042/"> Disable or Remove Feature or Program </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Do Not Mitigate"> <a href="/versions/v9/mitigations/M1055/"> Do Not Mitigate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Encrypt Sensitive Information"> <a href="/versions/v9/mitigations/M1041/"> Encrypt Sensitive Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Environment Variable Permissions"> <a href="/versions/v9/mitigations/M1039/"> Environment Variable Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Execution Prevention"> <a href="/versions/v9/mitigations/M1038/"> Execution Prevention </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Exploit Protection"> <a href="/versions/v9/mitigations/M1050/"> Exploit Protection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Filter Network Traffic"> <a href="/versions/v9/mitigations/M1037/"> Filter Network Traffic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Limit Access to Resource Over Network"> <a href="/versions/v9/mitigations/M1035/"> Limit Access to Resource Over Network </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Limit Hardware Installation"> <a href="/versions/v9/mitigations/M1034/"> Limit Hardware Installation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Limit Software Installation"> <a href="/versions/v9/mitigations/M1033/"> Limit Software Installation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Multi-factor Authentication"> <a href="/versions/v9/mitigations/M1032/"> Multi-factor Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="enterprise-Network Intrusion Prevention"> <a href="/versions/v9/mitigations/M1031/"> Network Intrusion Prevention </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Network Segmentation"> <a href="/versions/v9/mitigations/M1030/"> Network Segmentation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Operating System Configuration"> <a href="/versions/v9/mitigations/M1028/"> Operating System Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Password Policies"> <a href="/versions/v9/mitigations/M1027/"> Password Policies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Pre-compromise"> <a href="/versions/v9/mitigations/M1056/"> Pre-compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Privileged Account Management"> <a href="/versions/v9/mitigations/M1026/"> Privileged Account Management </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Privileged Process Integrity"> <a href="/versions/v9/mitigations/M1025/"> Privileged Process Integrity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Remote Data Storage"> <a href="/versions/v9/mitigations/M1029/"> Remote Data Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Restrict File and Directory Permissions"> <a href="/versions/v9/mitigations/M1022/"> Restrict File and Directory Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Restrict Library Loading"> <a href="/versions/v9/mitigations/M1044/"> Restrict Library Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Restrict Registry Permissions"> <a href="/versions/v9/mitigations/M1024/"> Restrict Registry Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Restrict Web-Based Content"> <a href="/versions/v9/mitigations/M1021/"> Restrict Web-Based Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Software Configuration"> <a href="/versions/v9/mitigations/M1054/"> Software Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-SSL/TLS Inspection"> <a href="/versions/v9/mitigations/M1020/"> SSL/TLS Inspection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Threat Intelligence Program"> <a href="/versions/v9/mitigations/M1019/"> Threat Intelligence Program </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Update Software"> <a href="/versions/v9/mitigations/M1051/"> Update Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-User Account Control"> <a href="/versions/v9/mitigations/M1052/"> User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-User Account Management"> <a href="/versions/v9/mitigations/M1018/"> User Account Management </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-User Training"> <a href="/versions/v9/mitigations/M1017/"> User Training </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-Vulnerability Scanning"> <a href="/versions/v9/mitigations/M1016/"> Vulnerability Scanning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v9/mitigations/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-Application Developer Guidance"> <a href="/versions/v9/mitigations/M1013/"> Application Developer Guidance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Application Vetting"> <a href="/versions/v9/mitigations/M1005/"> Application Vetting </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Attestation"> <a href="/versions/v9/mitigations/M1002/"> Attestation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Caution with Device Administrator Access"> <a href="/versions/v9/mitigations/M1007/"> Caution with Device Administrator Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Deploy Compromised Device Detection Method"> <a href="/versions/v9/mitigations/M1010/"> Deploy Compromised Device Detection Method </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Encrypt Network Traffic"> <a href="/versions/v9/mitigations/M1009/"> Encrypt Network Traffic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Enterprise Policy"> <a href="/versions/v9/mitigations/M1012/"> Enterprise Policy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Interconnection Filtering"> <a href="/versions/v9/mitigations/M1014/"> Interconnection Filtering </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Lock Bootloader"> <a href="/versions/v9/mitigations/M1003/"> Lock Bootloader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Security Updates"> <a href="/versions/v9/mitigations/M1001/"> Security Updates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-System Partition Integrity"> <a href="/versions/v9/mitigations/M1004/"> System Partition Integrity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-Use Recent OS Version"> <a href="/versions/v9/mitigations/M1006/"> Use Recent OS Version </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-User Guidance"> <a href="/versions/v9/mitigations/M1011/"> User Guidance </a> </div> </div> </div> </div> </div> <div class="group-nav-mobile-view"> <span class="heading" id="v-home-tab" aria-selected="false">MITIGATIONS</span> <div class="sidenav"> <div class="sidenav-head " id="Enterprise"> <a href="/versions/v9/mitigations/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="Enterprise-header" data-toggle="collapse" data-target="#Enterprise-body" aria-expanded="false" aria-controls="#Enterprise-body"></div> </div> <div class="sidenav-body collapse" id="Enterprise-body" aria-labelledby="Enterprise-header"> <div class="sidenav"> <div class="sidenav-head " id="Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4"> <span>A-C</span> <div class="expand-button collapsed" id="Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-header" data-toggle="collapse" data-target="#Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-body" aria-expanded="false" aria-controls="#Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-body"></div> </div> <div class="sidenav-body collapse" id="Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-body" aria-labelledby="Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-header"> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-b26518ef7e3e4a4f9b20008ff4552b4f"> <a href="/versions/v9/mitigations/M1036/"> Account Use Policies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-a6c6636f696a44f9aae5832a7fbe3561"> <a href="/versions/v9/mitigations/M1015/"> Active Directory Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-37df1053fe4249da8e26fda6d3af360a"> <a href="/versions/v9/mitigations/M1049/"> Antivirus/Antimalware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-4e1d87f8cc704be9aeccda5a2f410f7d"> <a href="/versions/v9/mitigations/M1013/"> Application Developer Guidance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-8796437fde6c45ac974cfadd24dfdb9f"> <a href="/versions/v9/mitigations/M1048/"> Application Isolation and Sandboxing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-89f7ccb4a1b74278ba05f5f593362a29"> <a href="/versions/v9/mitigations/M1047/"> Audit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-365044f73a824ba09883a5a45a63e2b3"> <a href="/versions/v9/mitigations/M1040/"> Behavior Prevention on Endpoint </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-ebb4492d17604eaaa9add543e60731cc"> <a href="/versions/v9/mitigations/M1046/"> Boot Integrity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-9bd049c3724c47a9be5fdf660067e611"> <a href="/versions/v9/mitigations/M1045/"> Code Signing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-cb3a2d149de84665b6c40f9e1f2c28b4-3be96c06f27048468fcfbc4fb5564ba6"> <a href="/versions/v9/mitigations/M1043/"> Credential Access Protection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Enterprise-13809a781f2244fdb72f26b0759b6e9b"> <span>D-F</span> <div class="expand-button collapsed" id="Enterprise-13809a781f2244fdb72f26b0759b6e9b-header" data-toggle="collapse" data-target="#Enterprise-13809a781f2244fdb72f26b0759b6e9b-body" aria-expanded="false" aria-controls="#Enterprise-13809a781f2244fdb72f26b0759b6e9b-body"></div> </div> <div class="sidenav-body collapse" id="Enterprise-13809a781f2244fdb72f26b0759b6e9b-body" aria-labelledby="Enterprise-13809a781f2244fdb72f26b0759b6e9b-header"> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-13809a781f2244fdb72f26b0759b6e9b-6748c5d27b3f40fcbb68dfe2a35956b0"> <a href="/versions/v9/mitigations/M1053/"> Data Backup </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-13809a781f2244fdb72f26b0759b6e9b-522db8f7d58643028c598b768f0045c9"> <a href="/versions/v9/mitigations/M1042/"> Disable or Remove Feature or Program </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-13809a781f2244fdb72f26b0759b6e9b-842722f6ecdf43c9b549bf7008fec5a7"> <a href="/versions/v9/mitigations/M1055/"> Do Not Mitigate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-13809a781f2244fdb72f26b0759b6e9b-97750d5dd29045bfb1c73540916440d7"> <a href="/versions/v9/mitigations/M1041/"> Encrypt Sensitive Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-13809a781f2244fdb72f26b0759b6e9b-b9ade68745914394be98ee1ff35fe33a"> <a href="/versions/v9/mitigations/M1039/"> Environment Variable Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-13809a781f2244fdb72f26b0759b6e9b-b5925658ce4047448ddb2b647a76b94a"> <a href="/versions/v9/mitigations/M1038/"> Execution Prevention </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-13809a781f2244fdb72f26b0759b6e9b-73a9ee406d59460f922f2b02ccf042e8"> <a href="/versions/v9/mitigations/M1050/"> Exploit Protection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-13809a781f2244fdb72f26b0759b6e9b-84971b1e0bdb427a82b1c51cd996cc93"> <a href="/versions/v9/mitigations/M1037/"> Filter Network Traffic </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Enterprise-fe29ba6e13b846c1a0d811eab685bab0"> <span>G-I</span> <div class="expand-button collapsed" id="Enterprise-fe29ba6e13b846c1a0d811eab685bab0-header" data-toggle="collapse" data-target="#Enterprise-fe29ba6e13b846c1a0d811eab685bab0-body" aria-expanded="false" aria-controls="#Enterprise-fe29ba6e13b846c1a0d811eab685bab0-body"></div> </div> <div class="sidenav-body collapse" id="Enterprise-fe29ba6e13b846c1a0d811eab685bab0-body" aria-labelledby="Enterprise-fe29ba6e13b846c1a0d811eab685bab0-header"> <div class="sidenav"> <span>No mitigations</span> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Enterprise-3ca1ed2178404000a56c368cceb4cd3f"> <span>J-L</span> <div class="expand-button collapsed" id="Enterprise-3ca1ed2178404000a56c368cceb4cd3f-header" data-toggle="collapse" data-target="#Enterprise-3ca1ed2178404000a56c368cceb4cd3f-body" aria-expanded="false" aria-controls="#Enterprise-3ca1ed2178404000a56c368cceb4cd3f-body"></div> </div> <div class="sidenav-body collapse" id="Enterprise-3ca1ed2178404000a56c368cceb4cd3f-body" aria-labelledby="Enterprise-3ca1ed2178404000a56c368cceb4cd3f-header"> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-3ca1ed2178404000a56c368cceb4cd3f-3c3cb0b0e2e94c8d9e62ff223695bb48"> <a href="/versions/v9/mitigations/M1035/"> Limit Access to Resource Over Network </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-3ca1ed2178404000a56c368cceb4cd3f-4827eac17f2448c2848b95ca6f6d942e"> <a href="/versions/v9/mitigations/M1034/"> Limit Hardware Installation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-3ca1ed2178404000a56c368cceb4cd3f-1956f373b40344f3802c2dbccd4ee1f4"> <a href="/versions/v9/mitigations/M1033/"> Limit Software Installation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Enterprise-ec73c64f1b7e4c70b469615970d4a045"> <span>M-O</span> <div class="expand-button collapsed" id="Enterprise-ec73c64f1b7e4c70b469615970d4a045-header" data-toggle="collapse" data-target="#Enterprise-ec73c64f1b7e4c70b469615970d4a045-body" aria-expanded="false" aria-controls="#Enterprise-ec73c64f1b7e4c70b469615970d4a045-body"></div> </div> <div class="sidenav-body collapse" id="Enterprise-ec73c64f1b7e4c70b469615970d4a045-body" aria-labelledby="Enterprise-ec73c64f1b7e4c70b469615970d4a045-header"> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-ec73c64f1b7e4c70b469615970d4a045-fcf338ca00264971bde3a73571e6e956"> <a href="/versions/v9/mitigations/M1032/"> Multi-factor Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="Enterprise-ec73c64f1b7e4c70b469615970d4a045-2965ef908b02496b92af99dcb1f61ac3"> <a href="/versions/v9/mitigations/M1031/"> Network Intrusion Prevention </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-ec73c64f1b7e4c70b469615970d4a045-f21a43b85e644ae4b0bd01352b14edb9"> <a href="/versions/v9/mitigations/M1030/"> Network Segmentation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-ec73c64f1b7e4c70b469615970d4a045-9f0b4d356a0b42f3a8387c293481dff7"> <a href="/versions/v9/mitigations/M1028/"> Operating System Configuration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Enterprise-e848f5054baf4d6e9e5134b879536c3e"> <span>P-R</span> <div class="expand-button collapsed" id="Enterprise-e848f5054baf4d6e9e5134b879536c3e-header" data-toggle="collapse" data-target="#Enterprise-e848f5054baf4d6e9e5134b879536c3e-body" aria-expanded="false" aria-controls="#Enterprise-e848f5054baf4d6e9e5134b879536c3e-body"></div> </div> <div class="sidenav-body collapse" id="Enterprise-e848f5054baf4d6e9e5134b879536c3e-body" aria-labelledby="Enterprise-e848f5054baf4d6e9e5134b879536c3e-header"> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-e848f5054baf4d6e9e5134b879536c3e-a093bbda18e14d76ae0d7a722e1aa49c"> <a href="/versions/v9/mitigations/M1027/"> Password Policies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-e848f5054baf4d6e9e5134b879536c3e-c0591b37c51e4e74935af30ba017b0a4"> <a href="/versions/v9/mitigations/M1056/"> Pre-compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-e848f5054baf4d6e9e5134b879536c3e-21bda95641f041c0a603eb81526f944e"> <a href="/versions/v9/mitigations/M1026/"> Privileged Account Management </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-e848f5054baf4d6e9e5134b879536c3e-a70b7eae4b5f4a808fa657022cf89c5c"> <a href="/versions/v9/mitigations/M1025/"> Privileged Process Integrity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-e848f5054baf4d6e9e5134b879536c3e-5aec17da01c945cebda1616cc777d435"> <a href="/versions/v9/mitigations/M1029/"> Remote Data Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-e848f5054baf4d6e9e5134b879536c3e-1c832cabff694d17b2044658ba6d1fb4"> <a href="/versions/v9/mitigations/M1022/"> Restrict File and Directory Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-e848f5054baf4d6e9e5134b879536c3e-48dc881e58b44cd3af337ff140242d50"> <a href="/versions/v9/mitigations/M1044/"> Restrict Library Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-e848f5054baf4d6e9e5134b879536c3e-e8f57982a56f4c5193ab543d4b37f7f6"> <a href="/versions/v9/mitigations/M1024/"> Restrict Registry Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-e848f5054baf4d6e9e5134b879536c3e-cbf376d65b604634bc1e21efbff80910"> <a href="/versions/v9/mitigations/M1021/"> Restrict Web-Based Content </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Enterprise-17d3e8f462f84419b88db26ec4991e4e"> <span>S-U</span> <div class="expand-button collapsed" id="Enterprise-17d3e8f462f84419b88db26ec4991e4e-header" data-toggle="collapse" data-target="#Enterprise-17d3e8f462f84419b88db26ec4991e4e-body" aria-expanded="false" aria-controls="#Enterprise-17d3e8f462f84419b88db26ec4991e4e-body"></div> </div> <div class="sidenav-body collapse" id="Enterprise-17d3e8f462f84419b88db26ec4991e4e-body" aria-labelledby="Enterprise-17d3e8f462f84419b88db26ec4991e4e-header"> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-17d3e8f462f84419b88db26ec4991e4e-49b9c49c65e04687bf4cbc442218cb8c"> <a href="/versions/v9/mitigations/M1054/"> Software Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-17d3e8f462f84419b88db26ec4991e4e-b6497cb5fcf649c7b844a0aff1d57d36"> <a href="/versions/v9/mitigations/M1020/"> SSL/TLS Inspection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-17d3e8f462f84419b88db26ec4991e4e-b99e55cc47ae477abbc13165c911bac6"> <a href="/versions/v9/mitigations/M1019/"> Threat Intelligence Program </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-17d3e8f462f84419b88db26ec4991e4e-c8e7863ca22d42a5bea3629e9ba52966"> <a href="/versions/v9/mitigations/M1051/"> Update Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-17d3e8f462f84419b88db26ec4991e4e-df2acab411ec44f9be382802b027bccb"> <a href="/versions/v9/mitigations/M1052/"> User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-17d3e8f462f84419b88db26ec4991e4e-f33c4d4d715b4e9fa4d8022cabdaaca4"> <a href="/versions/v9/mitigations/M1018/"> User Account Management </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-17d3e8f462f84419b88db26ec4991e4e-4f145dcaa08b4ddeab3a42a423a863ca"> <a href="/versions/v9/mitigations/M1017/"> User Training </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Enterprise-b03d09f5250a4307b0976fdcfab12f70"> <span>V-X</span> <div class="expand-button collapsed" id="Enterprise-b03d09f5250a4307b0976fdcfab12f70-header" data-toggle="collapse" data-target="#Enterprise-b03d09f5250a4307b0976fdcfab12f70-body" aria-expanded="false" aria-controls="#Enterprise-b03d09f5250a4307b0976fdcfab12f70-body"></div> </div> <div class="sidenav-body collapse" id="Enterprise-b03d09f5250a4307b0976fdcfab12f70-body" aria-labelledby="Enterprise-b03d09f5250a4307b0976fdcfab12f70-header"> <div class="sidenav"> <div class="sidenav-head" id="Enterprise-b03d09f5250a4307b0976fdcfab12f70-16754c6fa0b4455c9c1bf2f1b2938e42"> <a href="/versions/v9/mitigations/M1016/"> Vulnerability Scanning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Enterprise-3aedccf4b4014865899b01c6b7d95d81"> <span>Y-Z</span> <div class="expand-button collapsed" id="Enterprise-3aedccf4b4014865899b01c6b7d95d81-header" data-toggle="collapse" data-target="#Enterprise-3aedccf4b4014865899b01c6b7d95d81-body" aria-expanded="false" aria-controls="#Enterprise-3aedccf4b4014865899b01c6b7d95d81-body"></div> </div> <div class="sidenav-body collapse" id="Enterprise-3aedccf4b4014865899b01c6b7d95d81-body" aria-labelledby="Enterprise-3aedccf4b4014865899b01c6b7d95d81-header"> <div class="sidenav"> <span>No mitigations</span> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mobile"> <a href="/versions/v9/mitigations/mobile/"> Mobile </a> <div class="expand-button collapsed" id="Mobile-header" data-toggle="collapse" data-target="#Mobile-body" aria-expanded="false" aria-controls="#Mobile-body"></div> </div> <div class="sidenav-body collapse" id="Mobile-body" aria-labelledby="Mobile-header"> <div class="sidenav"> <div class="sidenav-head " id="Mobile-c0c2f593de8d4be5ba1c1cec5075d6a1"> <span>A-C</span> <div class="expand-button collapsed" id="Mobile-c0c2f593de8d4be5ba1c1cec5075d6a1-header" data-toggle="collapse" data-target="#Mobile-c0c2f593de8d4be5ba1c1cec5075d6a1-body" aria-expanded="false" aria-controls="#Mobile-c0c2f593de8d4be5ba1c1cec5075d6a1-body"></div> </div> <div class="sidenav-body collapse" id="Mobile-c0c2f593de8d4be5ba1c1cec5075d6a1-body" aria-labelledby="Mobile-c0c2f593de8d4be5ba1c1cec5075d6a1-header"> <div class="sidenav"> <div class="sidenav-head" id="Mobile-c0c2f593de8d4be5ba1c1cec5075d6a1-0e584d21760e46a3b2c84ceb8a8df29e"> <a href="/versions/v9/mitigations/M1013/"> Application Developer Guidance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mobile-c0c2f593de8d4be5ba1c1cec5075d6a1-b04c6cf9b2c04ab3b2845d57ba67c9eb"> <a href="/versions/v9/mitigations/M1005/"> Application Vetting </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mobile-c0c2f593de8d4be5ba1c1cec5075d6a1-5668ab8664a749dd8dab0b64e16b4cb6"> <a href="/versions/v9/mitigations/M1002/"> Attestation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mobile-c0c2f593de8d4be5ba1c1cec5075d6a1-ebb4f5601a864cc9a9eb45dca2c76ba2"> <a href="/versions/v9/mitigations/M1007/"> Caution with Device Administrator Access </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mobile-974c7cdf3eac484db432f8698f365acd"> <span>D-F</span> <div class="expand-button collapsed" id="Mobile-974c7cdf3eac484db432f8698f365acd-header" data-toggle="collapse" data-target="#Mobile-974c7cdf3eac484db432f8698f365acd-body" aria-expanded="false" aria-controls="#Mobile-974c7cdf3eac484db432f8698f365acd-body"></div> </div> <div class="sidenav-body collapse" id="Mobile-974c7cdf3eac484db432f8698f365acd-body" aria-labelledby="Mobile-974c7cdf3eac484db432f8698f365acd-header"> <div class="sidenav"> <div class="sidenav-head" id="Mobile-974c7cdf3eac484db432f8698f365acd-c0a1f8c7bac1431482c6edbce4e1fb7e"> <a href="/versions/v9/mitigations/M1010/"> Deploy Compromised Device Detection Method </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mobile-974c7cdf3eac484db432f8698f365acd-8955ce326e564e24ac239cbe690037be"> <a href="/versions/v9/mitigations/M1009/"> Encrypt Network Traffic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mobile-974c7cdf3eac484db432f8698f365acd-e9b782cedc674885a328e8286164268e"> <a href="/versions/v9/mitigations/M1012/"> Enterprise Policy </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mobile-e7e19d468f7840429d15ad34983e34d1"> <span>G-I</span> <div class="expand-button collapsed" id="Mobile-e7e19d468f7840429d15ad34983e34d1-header" data-toggle="collapse" data-target="#Mobile-e7e19d468f7840429d15ad34983e34d1-body" aria-expanded="false" aria-controls="#Mobile-e7e19d468f7840429d15ad34983e34d1-body"></div> </div> <div class="sidenav-body collapse" id="Mobile-e7e19d468f7840429d15ad34983e34d1-body" aria-labelledby="Mobile-e7e19d468f7840429d15ad34983e34d1-header"> <div class="sidenav"> <div class="sidenav-head" id="Mobile-e7e19d468f7840429d15ad34983e34d1-102cde30bc0447a1a84afef4935af8c7"> <a href="/versions/v9/mitigations/M1014/"> Interconnection Filtering </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mobile-5345a9cc0d114728bf7ec50fd1896d43"> <span>J-L</span> <div class="expand-button collapsed" id="Mobile-5345a9cc0d114728bf7ec50fd1896d43-header" data-toggle="collapse" data-target="#Mobile-5345a9cc0d114728bf7ec50fd1896d43-body" aria-expanded="false" aria-controls="#Mobile-5345a9cc0d114728bf7ec50fd1896d43-body"></div> </div> <div class="sidenav-body collapse" id="Mobile-5345a9cc0d114728bf7ec50fd1896d43-body" aria-labelledby="Mobile-5345a9cc0d114728bf7ec50fd1896d43-header"> <div class="sidenav"> <div class="sidenav-head" id="Mobile-5345a9cc0d114728bf7ec50fd1896d43-dcc35a04a45f4d23a5f382603034b26e"> <a href="/versions/v9/mitigations/M1003/"> Lock Bootloader </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mobile-8efc4def5f19457a9fc44ee46eb76b72"> <span>M-O</span> <div class="expand-button collapsed" id="Mobile-8efc4def5f19457a9fc44ee46eb76b72-header" data-toggle="collapse" data-target="#Mobile-8efc4def5f19457a9fc44ee46eb76b72-body" aria-expanded="false" aria-controls="#Mobile-8efc4def5f19457a9fc44ee46eb76b72-body"></div> </div> <div class="sidenav-body collapse" id="Mobile-8efc4def5f19457a9fc44ee46eb76b72-body" aria-labelledby="Mobile-8efc4def5f19457a9fc44ee46eb76b72-header"> <div class="sidenav"> <span>No mitigations</span> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mobile-98b878fc60de4b86963babecaeb73561"> <span>P-R</span> <div class="expand-button collapsed" id="Mobile-98b878fc60de4b86963babecaeb73561-header" data-toggle="collapse" data-target="#Mobile-98b878fc60de4b86963babecaeb73561-body" aria-expanded="false" aria-controls="#Mobile-98b878fc60de4b86963babecaeb73561-body"></div> </div> <div class="sidenav-body collapse" id="Mobile-98b878fc60de4b86963babecaeb73561-body" aria-labelledby="Mobile-98b878fc60de4b86963babecaeb73561-header"> <div class="sidenav"> <span>No mitigations</span> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mobile-bed9852c56de41ae9dd939086cf869d9"> <span>S-U</span> <div class="expand-button collapsed" id="Mobile-bed9852c56de41ae9dd939086cf869d9-header" data-toggle="collapse" data-target="#Mobile-bed9852c56de41ae9dd939086cf869d9-body" aria-expanded="false" aria-controls="#Mobile-bed9852c56de41ae9dd939086cf869d9-body"></div> </div> <div class="sidenav-body collapse" id="Mobile-bed9852c56de41ae9dd939086cf869d9-body" aria-labelledby="Mobile-bed9852c56de41ae9dd939086cf869d9-header"> <div class="sidenav"> <div class="sidenav-head" id="Mobile-bed9852c56de41ae9dd939086cf869d9-1b8512beb13c459bb735930277e2fce1"> <a href="/versions/v9/mitigations/M1001/"> Security Updates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mobile-bed9852c56de41ae9dd939086cf869d9-91eb331fad5747b8b4aa6600862af8cb"> <a href="/versions/v9/mitigations/M1004/"> System Partition Integrity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mobile-bed9852c56de41ae9dd939086cf869d9-22e3bfdcf1eb4efebe8afee057deba34"> <a href="/versions/v9/mitigations/M1006/"> Use Recent OS Version </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mobile-bed9852c56de41ae9dd939086cf869d9-32cfecab7d8a4067bcbc16643468aa3a"> <a href="/versions/v9/mitigations/M1011/"> User Guidance </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mobile-0a2bc3893e1d4798a1d9db0e6180f818"> <span>V-X</span> <div class="expand-button collapsed" id="Mobile-0a2bc3893e1d4798a1d9db0e6180f818-header" data-toggle="collapse" data-target="#Mobile-0a2bc3893e1d4798a1d9db0e6180f818-body" aria-expanded="false" aria-controls="#Mobile-0a2bc3893e1d4798a1d9db0e6180f818-body"></div> </div> <div class="sidenav-body collapse" id="Mobile-0a2bc3893e1d4798a1d9db0e6180f818-body" aria-labelledby="Mobile-0a2bc3893e1d4798a1d9db0e6180f818-header"> <div class="sidenav"> <span>No mitigations</span> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mobile-c142adcd714545a19ac7cecfb1ab3a1e"> <span>Y-Z</span> <div class="expand-button collapsed" id="Mobile-c142adcd714545a19ac7cecfb1ab3a1e-header" data-toggle="collapse" data-target="#Mobile-c142adcd714545a19ac7cecfb1ab3a1e-body" aria-expanded="false" aria-controls="#Mobile-c142adcd714545a19ac7cecfb1ab3a1e-body"></div> </div> <div class="sidenav-body collapse" id="Mobile-c142adcd714545a19ac7cecfb1ab3a1e-body" aria-labelledby="Mobile-c142adcd714545a19ac7cecfb1ab3a1e-header"> <div class="sidenav"> <span>No mitigations</span> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/mitigations">Mitigations</a></li> <li class="breadcrumb-item">Network Intrusion Prevention</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Network Intrusion Prevention </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Use intrusion detection signatures to block traffic at network boundaries.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="card-data"><span class="h5 card-title">ID:</span> M1031</div> <div class="card-data"><span class="h5 card-title">Version:</span> 1.0</div> <div class="card-data"><span class="h5 card-title">Created:&nbsp;</span>10 June 2019</div> <div class="card-data"><span class="h5 card-title">Last Modified:&nbsp;</span>10 June 2019</div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of M1031" href="/versions/v9/mitigations/M1031/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of M1031" href="/mitigations/M1031/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK^&reg; Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/versions/v9/mitigations/M1031/M1031-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/versions/v9/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v9/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS layerURL = window.location.protocol + "//" + window.location.host + base_url + "mitigations/M1031/M1031-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3" id="techniques">Techniques Addressed by Mitigation</h2> <table class="table techniques-used table-bordered mt-2"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="technique" id="uses-T1071"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1071">T1071</a> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="sub technique" id="uses-T1071-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1071/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1071/001">Web Protocols</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. </p> </td> </tr> <tr class="sub technique" id="uses-T1071-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1071/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1071/002">File Transfer Protocols</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. </p> </td> </tr> <tr class="sub technique" id="uses-T1071-003"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1071/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1071/003">Mail Protocols</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. </p> </td> </tr> <tr class="sub technique" id="uses-T1071-004"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1071/004">.004</a> </td> <td> <a href="/versions/v9/techniques/T1071/004">DNS</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. </p> </td> </tr> <tr class="technique" id="uses-T1132"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1132">T1132</a> </td> <td> <a href="/versions/v9/techniques/T1132">Data Encoding</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="University of Birmingham C2">^{<a href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1132-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1132/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1132/001">Standard Encoding</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.</p> </td> </tr> <tr class="sub technique" id="uses-T1132-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1132/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1132/002">Non-Standard Encoding</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.</p> </td> </tr> <tr class="technique" id="uses-T1602"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1602">T1602</a> </td> <td> <a href="/versions/v9/techniques/T1602">Data from Configuration Repository</a> </td> <td> <p>Configure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="US-CERT-TA18-106A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-106A" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1602-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1602/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1602/001">SNMP (MIB Dump)</a> </td> <td> <p>Configure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="US-CERT-TA18-106A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-106A" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1602-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1602/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1602/002">Network Device Configuration Dump</a> </td> <td> <p>onfigure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources. Create signatures to detect Smart Install (SMI) usage from sources other than trusted director. <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="US-CERT TA18-106A Network Infrastructure Devices 2018">^{<a href="https://us-cert.cisa.gov/ncas/alerts/TA18-106A" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1001"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1001">T1001</a> </td> <td> <a href="/versions/v9/techniques/T1001">Data Obfuscation</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.</p> </td> </tr> <tr class="sub technique" id="uses-T1001-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1001/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1001/001">Junk Data</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level. </p> </td> </tr> <tr class="sub technique" id="uses-T1001-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1001/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1001/002">Steganography</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level. </p> </td> </tr> <tr class="sub technique" id="uses-T1001-003"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1001/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1001/003">Protocol Impersonation</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.</p> </td> </tr> <tr class="technique" id="uses-T1030"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1030">T1030</a> </td> <td> <a href="/versions/v9/techniques/T1030">Data Transfer Size Limits</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="technique" id="uses-T1568"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1568">T1568</a> </td> <td> <a href="/versions/v9/techniques/T1568">Dynamic Resolution</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use dynamic resolution and determine future C2 infrastructure that the malware will attempt to contact, but this is a time and resource intensive effort.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Cybereason Dissecting DGAs">^{<a href="http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="Cisco Umbrella DGA Brute Force">^{<a href="https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1568-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1568/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1568/002">Domain Generation Algorithms</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Cybereason Dissecting DGAs">^{<a href="http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="Cisco Umbrella DGA Brute Force">^{<a href="https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="Akamai DGA Mitigation">^{<a href="https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span> Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost.</p> </td> </tr> <tr class="technique" id="uses-T1573"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1573">T1573</a> </td> <td> <a href="/versions/v9/techniques/T1573">Encrypted Channel</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="sub technique" id="uses-T1573-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1573/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="sub technique" id="uses-T1573-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1573/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1573/002">Asymmetric Cryptography</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="technique" id="uses-T1048"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1048">T1048</a> </td> <td> <a href="/versions/v9/techniques/T1048">Exfiltration Over Alternative Protocol</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="sub technique" id="uses-T1048-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1048/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1048/001">Exfiltration Over Symmetric Encrypted Non-C2 Protocol</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. </p> </td> </tr> <tr class="sub technique" id="uses-T1048-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1048/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1048/002">Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. </p> </td> </tr> <tr class="sub technique" id="uses-T1048-003"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1048/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1048/003">Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. </p> </td> </tr> <tr class="technique" id="uses-T1041"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1041">T1041</a> </td> <td> <a href="/versions/v9/techniques/T1041">Exfiltration Over C2 Channel</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="University of Birmingham C2">^{<a href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1008"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1008">T1008</a> </td> <td> <a href="/versions/v9/techniques/T1008">Fallback Channels</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="University of Birmingham C2">^{<a href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1105"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1105">T1105</a> </td> <td> <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="University of Birmingham C2">^{<a href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1570"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1570">T1570</a> </td> <td> <a href="/versions/v9/techniques/T1570">Lateral Tool Transfer</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="University of Birmingham C2">^{<a href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1557"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1557">T1557</a> </td> <td> <a href="/versions/v9/techniques/T1557">Man-in-the-Middle</a> </td> <td> <p>Network intrusion detection and prevention systems that can identify traffic patterns indicative of MiTM activity can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="sub technique" id="uses-T1557-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1557/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a> </td> <td> <p>Network intrusion detection and prevention systems that can identify traffic patterns indicative of MiTM activity can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="sub technique" id="uses-T1557-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1557/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1557/002">ARP Cache Poisoning</a> </td> <td> <p>Network intrusion detection and prevention systems that can identify traffic patterns indicative of MiTM activity can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="technique" id="uses-T1104"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1104">T1104</a> </td> <td> <a href="/versions/v9/techniques/T1104">Multi-Stage Channels</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="technique" id="uses-T1046"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1046">T1046</a> </td> <td> <a href="/versions/v9/techniques/T1046">Network Service Scanning</a> </td> <td> <p>Use network intrusion detection/prevention systems to detect and prevent remote service scans.</p> </td> </tr> <tr class="technique" id="uses-T1095"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1095">T1095</a> </td> <td> <a href="/versions/v9/techniques/T1095">Non-Application Layer Protocol</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="technique" id="uses-T1571"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1571">T1571</a> </td> <td> <a href="/versions/v9/techniques/T1571">Non-Standard Port</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="technique" id="uses-T1566"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1566">T1566</a> </td> <td> <a href="/versions/v9/techniques/T1566">Phishing</a> </td> <td> <p>Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity.</p> </td> </tr> <tr class="sub technique" id="uses-T1566-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1566/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1566/001">Spearphishing Attachment</a> </td> <td> <p>Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.</p> </td> </tr> <tr class="sub technique noparent" id="uses-T1542-004"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1542">T1542</a> </td> <td> <a href="/versions/v9/techniques/T1542/004">.004</a> </td> <td> <a href="/versions/v9/techniques/T1542">Pre-OS Boot</a>: <a href="/versions/v9/techniques/T1542/004">ROMMONkit</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific protocols, such as TFTP, can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific technique used by a particular adversary or tool, and will likely be different across various network configurations. </p> </td> </tr> <tr class="sub technique" id="uses-T1542-005"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1542/005">.005</a> </td> <td> <a href="/versions/v9/techniques/T1542">Pre-OS Boot</a>: <a href="/versions/v9/techniques/T1542/005">TFTP Boot</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific protocols, such as TFTP, can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific technique used by a particular adversary or tool, and will likely be different across various network configurations. </p> </td> </tr> <tr class="technique" id="uses-T1572"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1572">T1572</a> </td> <td> <a href="/versions/v9/techniques/T1572">Protocol Tunneling</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. </p> </td> </tr> <tr class="technique" id="uses-T1090"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1090">T1090</a> </td> <td> <a href="/versions/v9/techniques/T1090">Proxy</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="University of Birmingham C2">^{<a href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1090-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1090/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1090/001">Internal Proxy</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="University of Birmingham C2">^{<a href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1090-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1090/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1090/002">External Proxy</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="University of Birmingham C2">^{<a href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1219"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1219">T1219</a> </td> <td> <a href="/versions/v9/techniques/T1219">Remote Access Software</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services.</p> </td> </tr> <tr class="technique" id="uses-T1029"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1029">T1029</a> </td> <td> <a href="/versions/v9/techniques/T1029">Scheduled Transfer</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="University of Birmingham C2">^{<a href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1221"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1221">T1221</a> </td> <td> <a href="/versions/v9/techniques/T1221">Template Injection</a> </td> <td> <p>Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Anomali Template Injection MAR 2018">^{<a href="https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1204"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1204">T1204</a> </td> <td> <a href="/versions/v9/techniques/T1204">User Execution</a> </td> <td> <p>If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.</p> </td> </tr> <tr class="sub technique" id="uses-T1204-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1204/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1204/001">Malicious Link</a> </td> <td> <p>If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.</p> </td> </tr> <tr class="sub technique" id="uses-T1204-003"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1204/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1204/003">Malicious Image</a> </td> <td> <p>Network prevention intrusion systems and systems designed to scan and remove malicious downloads can be used to block activity.</p> </td> </tr> <tr class="technique" id="uses-T1102"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1102">T1102</a> </td> <td> <a href="/versions/v9/techniques/T1102">Web Service</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="sub technique" id="uses-T1102-001"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1102/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1102/001">Dead Drop Resolver</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="sub technique" id="uses-T1102-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1102/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1102/002">Bidirectional Communication</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.</p> </td> </tr> <tr class="sub technique" id="uses-T1102-003"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1102/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1102/003">One-Way Communication</a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.</p> </td> </tr> </tbody> </table> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank"> Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.us-cert.gov/ncas/alerts/TA18-106A" target="_blank"> US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://us-cert.cisa.gov/ncas/alerts/TA18-106A" target="_blank"> US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf" target="_blank"> Sternfeld, U. (2016). Dissecting Domain Generation Algorithms: Eight Real World DGA Variants. Retrieved February 18, 2019. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="5.0"> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/" target="_blank"> Kasza, A. (2015, February 18). Using Algorithms to Brute Force Algorithms. Retrieved February 18, 2019. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html" target="_blank"> Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of Domain Generation Algorithms. Retrieved February 18, 2019. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104" target="_blank"> Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> 漏 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&amp;CK content version 9.0&#013;Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?6773"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/navigation.js"></script> </body> </html>