<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v15/theme/favicon.ico" type='image/x-icon'> <title>Audit, Mitigation M1047 - Enterprise | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v15/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v15/"><img src="/versions/v15/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v15/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v15/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/groups">Groups</a> <a class="dropdown-item" href="/versions/v15/software">Software</a> <a class="dropdown-item" href="/versions/v15/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v15/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v15/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v15/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v15/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v15/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v15/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v15/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v15/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v15/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v15.1" target="_blank">ATT&CK v15.1</a> which was live between April 23, 2024 and October 30, 2024. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v15/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v15/mitigations">Mitigations</a></li> <li class="breadcrumb-item">Audit</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Audit </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="card-data"><span class="h5 card-title">ID:</span> M1047</div> <div class="card-data"><span class="h5 card-title">Version:</span> 1.2</div> <div class="card-data"><span class="h5 card-title">Created:&nbsp;</span>11 June 2019</div> <div class="card-data"><span class="h5 card-title">Last Modified:&nbsp;</span>31 March 2023</div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of M1047" href="/versions/v15/mitigations/M1047/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of M1047" href="/mitigations/M1047/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK^&reg; Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/versions/v15/mitigations/M1047/M1047-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/versions/v15/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v15/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "mitigations/M1047/M1047-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3 mb-2" id="techniques">Techniques Addressed by Mitigation</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1548">T1548</a> </td> <td> <a href="/versions/v15/techniques/T1548">Abuse Elevation Control Mechanism</a> </td> <td> <p>Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016."data-reference="Github UACMe">^{<a href="https://github.com/hfiref0x/UACME" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1548/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1548/002">Bypass User Account Control</a> </td> <td> <p>Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016."data-reference="Github UACMe">^{<a href="https://github.com/hfiref0x/UACME" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1548/006">.006</a> </td> <td> <a href="/versions/v15/techniques/T1548/006">TCC Manipulation</a> </td> <td> <p>Routinely check applications using Automation under Security &amp; Privacy System Preferences. To reset permissions, user's can utilize the <code>tccutil reset</code> command. When using Mobile Device Management (MDM), review the list of enabled or disabled applications in the <code>MDMOverrides.plist</code> which overrides the TCC database.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Phil Stokes. (2021, July 1). Bypassing macOS TCC User Privacy Protections By Accident and Design. Retrieved March 21, 2024."data-reference="TCC macOS bypass">^{<a href="https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1087">T1087</a> </td> <td> <a href="/versions/v15/techniques/T1087/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1087">Account Discovery</a>: <a href="/versions/v15/techniques/T1087/004">Cloud Account</a> </td> <td> <p>Routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1560">T1560</a> </td> <td> <a href="/versions/v15/techniques/T1560">Archive Collected Data</a> </td> <td> <p>System scans can be performed to identify unauthorized archival utilities.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1560/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1560/001">Archive via Utility</a> </td> <td> <p>System scans can be performed to identify unauthorized archival utilities.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1176">T1176</a> </td> <td> <a href="/versions/v15/techniques/T1176">Browser Extensions</a> </td> <td> <p>Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1612">T1612</a> </td> <td> <a href="/versions/v15/techniques/T1612">Build Image on Host</a> </td> <td> <p>Audit images deployed within the environment to ensure they do not contain any malicious components.</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1059">T1059</a> </td> <td> <a href="/versions/v15/techniques/T1059/006">.006</a> </td> <td> <a href="/versions/v15/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v15/techniques/T1059/006">Python</a> </td> <td> <p>Inventory systems for unauthorized Python installations.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1543">T1543</a> </td> <td> <a href="/versions/v15/techniques/T1543">Create or Modify System Process</a> </td> <td> <p>Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1543/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1543/003">Windows Service</a> </td> <td> <p>Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1543/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1543/004">Launch Daemon</a> </td> <td> <p>Use auditing tools capable of detecting folder permissions abuse opportunities on systems, especially reviewing changes made to folders by third-party software.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1530">T1530</a> </td> <td> <a href="/versions/v15/techniques/T1530">Data from Cloud Storage</a> </td> <td> <p>Frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019."data-reference="Amazon S3 Security, 2019">^{<a href="https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1213">T1213</a> </td> <td> <a href="/versions/v15/techniques/T1213">Data from Information Repositories</a> </td> <td> <p>Consider periodic review of accounts and privileges for critical and sensitive repositories.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1213/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1213/001">Confluence</a> </td> <td> <p>Consider periodic review of accounts and privileges for critical and sensitive Confluence repositories.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1213/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1213/002">Sharepoint</a> </td> <td> <p>Consider periodic review of accounts and privileges for critical and sensitive SharePoint repositories.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1213/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1213/003">Code Repositories</a> </td> <td> <p>Consider periodic reviews of accounts and privileges for critical and sensitive code repositories. Scan code repositories for exposed credentials or other sensitive information.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1610">T1610</a> </td> <td> <a href="/versions/v15/techniques/T1610">Deploy Container</a> </td> <td> <p>Scan images before deployment, and block those that are not in compliance with security policies. In Kubernetes environments, the admission controller can be used to validate images after a container deployment request is authenticated but before the container is deployed.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022."data-reference="Kubernetes Hardening Guide">^{<a href="https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1484">T1484</a> </td> <td> <a href="/versions/v15/techniques/T1484">Domain or Tenant Policy Modification</a> </td> <td> <p>Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as <a href="/versions/v15/software/S0521">BloodHound</a> (version 1.5.1 and later)<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019."data-reference="GitHub Bloodhound">^{<a href="https://github.com/BloodHoundAD/BloodHound" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span>.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1484/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1484/001">Group Policy Modification</a> </td> <td> <p>Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as <a href="/versions/v15/software/S0521">BloodHound</a> (version 1.5.1 and later).<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019."data-reference="GitHub Bloodhound">^{<a href="https://github.com/BloodHoundAD/BloodHound" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1482">T1482</a> </td> <td> <a href="/versions/v15/techniques/T1482">Domain Trust Discovery</a> </td> <td> <p>Map the trusts within existing domains/forests and keep trust relationships to a minimum.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1114">T1114</a> </td> <td> <a href="/versions/v15/techniques/T1114">Email Collection</a> </td> <td> <p>Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis.</p><p>In an Exchange environment, Administrators can use Get-InboxRule to discover and remove potentially malicious auto-forwarding rules.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019."data-reference="Microsoft Tim McMichael Exchange Mail Forwarding 2">^{<a href="https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1114/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1114/003">Email Forwarding Rule</a> </td> <td> <p>Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis.</p><p>In an Exchange environment, Administrators can use <code>Get-InboxRule</code> / <code>Remove-InboxRule</code> and <code>Get-TransportRule</code> / <code>Remove-TransportRule</code> to discover and remove potentially malicious auto-fowarding and transport rules.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019."data-reference="Microsoft Tim McMichael Exchange Mail Forwarding 2">^{<a href="https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023."data-reference="Microsoft Manage Mail Flow Rules 2023">^{<a href="https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Microsoft. (n.d.). Get-InboxRule. Retrieved June 10, 2021."data-reference="Microsoft Get-InboxRule">^{<a href="https://docs.microsoft.com/en-us/powershell/module/exchange/get-inboxrule?view=exchange-ps" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span> In addition to this, a MAPI Editor can be utilized to examine the underlying database structure and discover any modifications/tampering of the properties of auto-forwarding rules.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021."data-reference="Pfammatter - Hidden Inbox Rules">^{<a href="https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1546">T1546</a> </td> <td> <a href="/versions/v15/techniques/T1546/006">.006</a> </td> <td> <a href="/versions/v15/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v15/techniques/T1546/006">LC_LOAD_DYLIB Addition</a> </td> <td> <p>Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn't included as part of an update, it should be investigated.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1606">T1606</a> </td> <td> <a href="/versions/v15/techniques/T1606">Forge Web Credentials</a> </td> <td> <p>Administrators should perform an audit of all access lists and the permissions they have been granted to access web applications and services. This should be done extensively on all resources in order to establish a baseline, followed up on with periodic audits of new or updated resources. Suspicious accounts/credentials should be investigated and removed.</p><p>Enable advanced auditing on ADFS. Check the success and failure audit options in the ADFS Management snap-in. Enable Audit Application Generated events on the AD FS farm via Group Policy Object.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Bierstock, D., Baker, A. (2019, March 21). I am AD FS and So Can You. Retrieved December 17, 2020."data-reference="FireEye ADFS">^{<a href="https://www.troopers.de/troopers19/agenda/fpxwmn/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1606/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1606/001">Web Cookies</a> </td> <td> <p>Administrators should perform an audit of all access lists and the permissions they have been granted to access web applications and services. This should be done extensively on all resources in order to establish a baseline, followed up on with periodic audits of new or updated resources. Suspicious accounts/credentials should be investigated and removed.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1606/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1606/002">SAML Tokens</a> </td> <td> <p>Enable advanced auditing on AD FS. Check the success and failure audit options in the AD FS Management snap-in. Enable Audit Application Generated events on the AD FS farm via Group Policy Object.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Bierstock, D., Baker, A. (2019, March 21). I am AD FS and So Can You. Retrieved December 17, 2020."data-reference="FireEye ADFS">^{<a href="https://www.troopers.de/troopers19/agenda/fpxwmn/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1564">T1564</a> </td> <td> <a href="/versions/v15/techniques/T1564/008">.008</a> </td> <td> <a href="/versions/v15/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v15/techniques/T1564/008">Email Hiding Rules</a> </td> <td> <p>Enterprise email solutions may have monitoring mechanisms that may include the ability to audit inbox rules on a regular basis. </p><p>In an Exchange environment, Administrators can use <code>Get-InboxRule</code> / <code>Remove-InboxRule</code> and <code>Get-TransportRule</code> / <code>Remove-TransportRule</code> to discover and remove potentially malicious inbox and transport rules.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Microsoft. (n.d.). Get-InboxRule. Retrieved June 10, 2021."data-reference="Microsoft Get-InboxRule">^{<a href="https://docs.microsoft.com/en-us/powershell/module/exchange/get-inboxrule?view=exchange-ps" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023."data-reference="Microsoft Manage Mail Flow Rules 2023">^{<a href="https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1574">T1574</a> </td> <td> <a href="/versions/v15/techniques/T1574">Hijack Execution Flow</a> </td> <td> <p>Use auditing tools capable of detecting hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for hijacking weaknesses.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="PowerSploit. (n.d.). Retrieved December 4, 2014."data-reference="Powersploit">^{<a href="https://github.com/mattifestation/PowerSploit" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p><p>Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.</p><p>Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.</p><p>Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014."data-reference="Microsoft CreateProcess">^{<a href="http://msdn.microsoft.com/en-us/library/ms682425" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016."data-reference="Microsoft Dynamic-Link Library Security">^{<a href="https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security?redirectedfrom=MSDN" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017."data-reference="Vulnerability and Exploit Detector">^{<a href="https://skanthak.homepage.t-online.de/sentinel.html" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1574/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1574/001">DLL Search Order Hijacking</a> </td> <td> <p>Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="PowerSploit. (n.d.). Retrieved December 4, 2014."data-reference="Powersploit">^{<a href="https://github.com/mattifestation/PowerSploit" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p><p>Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-by-side problems in software.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Gerend, J. et al.. (2017, October 16). sxstrace. Retrieved April 26, 2021."data-reference="Microsoft Sxstrace">^{<a href="https://docs.microsoft.com/windows-server/administration/windows-commands/sxstrace" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1574/005">.005</a> </td> <td> <a href="/versions/v15/techniques/T1574/005">Executable Installer File Permissions Weakness</a> </td> <td> <p>Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="PowerSploit. (n.d.). Retrieved December 4, 2014."data-reference="Powersploit">^{<a href="https://github.com/mattifestation/PowerSploit" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1574/007">.007</a> </td> <td> <a href="/versions/v15/techniques/T1574/007">Path Interception by PATH Environment Variable</a> </td> <td> <p>Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.</p><p>Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014."data-reference="Microsoft CreateProcess">^{<a href="http://msdn.microsoft.com/en-us/library/ms682425" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016."data-reference="Microsoft Dynamic-Link Library Security">^{<a href="https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security?redirectedfrom=MSDN" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017."data-reference="Vulnerability and Exploit Detector">^{<a href="https://skanthak.homepage.t-online.de/sentinel.html" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1574/008">.008</a> </td> <td> <a href="/versions/v15/techniques/T1574/008">Path Interception by Search Order Hijacking</a> </td> <td> <p>Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.</p><p>Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014."data-reference="Microsoft CreateProcess">^{<a href="http://msdn.microsoft.com/en-us/library/ms682425" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016."data-reference="Microsoft Dynamic-Link Library Security">^{<a href="https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security?redirectedfrom=MSDN" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017."data-reference="Vulnerability and Exploit Detector">^{<a href="https://skanthak.homepage.t-online.de/sentinel.html" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1574/009">.009</a> </td> <td> <a href="/versions/v15/techniques/T1574/009">Path Interception by Unquoted Path</a> </td> <td> <p>Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.</p><p>Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014."data-reference="Microsoft CreateProcess">^{<a href="http://msdn.microsoft.com/en-us/library/ms682425" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016."data-reference="Microsoft Dynamic-Link Library Security">^{<a href="https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security?redirectedfrom=MSDN" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017."data-reference="Vulnerability and Exploit Detector">^{<a href="https://skanthak.homepage.t-online.de/sentinel.html" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1574/010">.010</a> </td> <td> <a href="/versions/v15/techniques/T1574/010">Services File Permissions Weakness</a> </td> <td> <p>Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="PowerSploit. (n.d.). Retrieved December 4, 2014."data-reference="Powersploit">^{<a href="https://github.com/mattifestation/PowerSploit" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1562">T1562</a> </td> <td> <a href="/versions/v15/techniques/T1562">Impair Defenses</a> </td> <td> <p>Routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1562/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1562/002">Disable Windows Event Logging</a> </td> <td> <p>Consider periodic review of <code>auditpol</code> settings for Administrator accounts and perform dynamic baselining on SIEM(s) to investigate potential malicious activity. Also ensure that the EventLog service and its threads are properly running.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1562/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1562/004">Disable or Modify System Firewall</a> </td> <td> <p>Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1562/007">.007</a> </td> <td> <a href="/versions/v15/techniques/T1562/007">Disable or Modify Cloud Firewall</a> </td> <td> <p>Routinely check account role permissions to ensure only expected users and roles have permission to modify cloud firewalls. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1562/012">.012</a> </td> <td> <a href="/versions/v15/techniques/T1562/012">Disable or Modify Linux Audit System</a> </td> <td> <p>Routinely check account role permissions to ensure only expected users and roles have permission to modify logging settings.</p><p>To ensure Audit rules can not be modified at runtime, add the <code>auditctl -e 2</code> as the last command in the audit.rules files. Once started, any attempt to change the configuration in this mode will be audited and denied. The configuration can only be changed by rebooting the machine.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1525">T1525</a> </td> <td> <a href="/versions/v15/techniques/T1525">Implant Internal Image</a> </td> <td> <p>Periodically check the integrity of images and containers used in cloud deployments to ensure they have not been modified to include malicious software.</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1070">T1070</a> </td> <td> <a href="/versions/v15/techniques/T1070/008">.008</a> </td> <td> <a href="/versions/v15/techniques/T1070">Indicator Removal</a>: <a href="/versions/v15/techniques/T1070/008">Clear Mailbox Data</a> </td> <td> <p>In an Exchange environment, Administrators can use <code>Get-TransportRule</code> / <code>Remove-TransportRule</code> to discover and remove potentially malicious transport rules.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023."data-reference="Microsoft Manage Mail Flow Rules 2023">^{<a href="https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1556">T1556</a> </td> <td> <a href="/versions/v15/techniques/T1556">Modify Authentication Process</a> </td> <td> <p>Review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.</p><p>Periodically review the hybrid identity solution in use for any discrepancies. For example, review all Pass Through Authentication (PTA) agents in the Azure Management Portal to identify any unwanted or unapproved ones.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022."data-reference="Mandiant Azure AD Backdoors">^{<a href="https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> If ADFS is in use, review DLLs and executable files in the AD FS and Global Assembly Cache directories to ensure that they are signed by Microsoft. Note that in some cases binaries may be catalog-signed, which may cause the file to appear unsigned when viewing file properties.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM鈥檚 post-compromise trick to authenticate as anyone. Retrieved September 28, 2022."data-reference="MagicWeb">^{<a href="https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p><p>Periodically review for new and unknown network provider DLLs within the Registry (<code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\&lt;NetworkProviderName&gt;\NetworkProvider\ProviderPath</code>). Ensure only valid network provider DLLs are registered. The name of these can be found in the Registry key at <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order</code>, and have corresponding service subkey pointing to a DLL at <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Services\&lt;NetworkProviderName&gt;\NetworkProvider</code>.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1556/006">.006</a> </td> <td> <a href="/versions/v15/techniques/T1556/006">Multi-Factor Authentication</a> </td> <td> <p>Review MFA actions alongside authentication logs to ensure that MFA-based logins are functioning as intended. Review user accounts to ensure that all accounts have MFA enabled.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023."data-reference="Mandiant Cloudy Logs 2023">^{<a href="https://www.mandiant.com/resources/blog/cloud-bad-log-configurations" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1556/007">.007</a> </td> <td> <a href="/versions/v15/techniques/T1556/007">Hybrid Identity</a> </td> <td> <p>Periodically review the hybrid identity solution in use for any discrepancies. For example, review all PTA agents in the Azure Management Portal to identify any unwanted or unapproved ones.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022."data-reference="Mandiant Azure AD Backdoors">^{<a href="https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> If ADFS is in use, review DLLs and executable files in the AD FS and Global Assembly Cache directories to ensure that they are signed by Microsoft. Note that in some cases binaries may be catalog-signed, which may cause the file to appear unsigned when viewing file properties.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM鈥檚 post-compromise trick to authenticate as anyone. Retrieved September 28, 2022."data-reference="MagicWeb">^{<a href="https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1556/008">.008</a> </td> <td> <a href="/versions/v15/techniques/T1556/008">Network Provider DLL</a> </td> <td> <p>Periodically review for new and unknown network provider DLLs within the Registry (<code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\&lt;NetworkProviderName&gt;\NetworkProvider\ProviderPath</code>).</p><p>Ensure only valid network provider DLLs are registered. The name of these can be found in the Registry key at <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order</code>, and have corresponding service subkey pointing to a DLL at <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Services\&lt;NetworkProviderName&gt;\NetworkProvider</code>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1578">T1578</a> </td> <td> <a href="/versions/v15/techniques/T1578">Modify Cloud Compute Infrastructure</a> </td> <td> <p>Routinely monitor user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1578/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1578/001">Create Snapshot</a> </td> <td> <p>Routinely check user permissions to ensure only the expected users have the capability to create snapshots and backups.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1578/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1578/002">Create Cloud Instance</a> </td> <td> <p>Routinely check user permissions to ensure only the expected users have the capability to create new instances.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1578/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1578/003">Delete Cloud Instance</a> </td> <td> <p>Routinely check user permissions to ensure only the expected users have the capability to delete new instances.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1578/005">.005</a> </td> <td> <a href="/versions/v15/techniques/T1578/005">Modify Cloud Compute Configurations</a> </td> <td> <p>Routinely monitor user permissions to ensure only the expected users have the capability to request quota adjustments or modify tenant-level compute settings.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1027">T1027</a> </td> <td> <a href="/versions/v15/techniques/T1027">Obfuscated Files or Information</a> </td> <td> <p>Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1027/011">.011</a> </td> <td> <a href="/versions/v15/techniques/T1027/011">Fileless Storage</a> </td> <td> <p>Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1566">T1566</a> </td> <td> <a href="/versions/v15/techniques/T1566">Phishing</a> </td> <td> <p>Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1566/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1566/002">Spearphishing Link</a> </td> <td> <p>Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1653">T1653</a> </td> <td> <a href="/versions/v15/techniques/T1653">Power Settings</a> </td> <td> <p>Periodically inspect systems for abnormal and unexpected power settings that may indicate malicious activty.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1542">T1542</a> </td> <td> <a href="/versions/v15/techniques/T1542">Pre-OS Boot</a> </td> <td> <p>Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1542/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1542/004">ROMMONkit</a> </td> <td> <p>Periodically check the integrity of system image to ensure it has not been modified. <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Image File Integrity. Retrieved October 21, 2020."data-reference="Cisco IOS Software Integrity Assurance - Image File Integrity">^{<a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#30" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> <span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020."data-reference="Cisco IOS Software Integrity Assurance - Image File Verification">^{<a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#7" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span> <span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Change Control. Retrieved October 21, 2020."data-reference="Cisco IOS Software Integrity Assurance - Change Control">^{<a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#31" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1542/005">.005</a> </td> <td> <a href="/versions/v15/techniques/T1542/005">TFTP Boot</a> </td> <td> <p>Periodically check the integrity of the running configuration and system image to ensure they have not been modified. <span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020."data-reference="Cisco IOS Software Integrity Assurance - Image File Verification">^{<a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#7" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span> <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Image File Integrity. Retrieved October 21, 2020."data-reference="Cisco IOS Software Integrity Assurance - Image File Integrity">^{<a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#30" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> <span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Change Control. Retrieved October 21, 2020."data-reference="Cisco IOS Software Integrity Assurance - Change Control">^{<a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#31" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span> </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1563">T1563</a> </td> <td> <a href="/versions/v15/techniques/T1563/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1563">Remote Service Session Hijacking</a>: <a href="/versions/v15/techniques/T1563/002">RDP Hijacking</a> </td> <td> <p>Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1021">T1021</a> </td> <td> <a href="/versions/v15/techniques/T1021">Remote Services</a> </td> <td> <p>Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1021/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1021/001">Remote Desktop Protocol</a> </td> <td> <p>Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1021/005">.005</a> </td> <td> <a href="/versions/v15/techniques/T1021/005">VNC</a> </td> <td> <p>Inventory workstations for unauthorized VNC server software.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1053">T1053</a> </td> <td> <a href="/versions/v15/techniques/T1053">Scheduled Task/Job</a> </td> <td> <p>Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. <span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="PowerSploit. (n.d.). Retrieved December 4, 2014."data-reference="Powersploit">^{<a href="https://github.com/mattifestation/PowerSploit" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1053/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1053/002">At</a> </td> <td> <p>Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. <span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="PowerSploit. (n.d.). Retrieved December 4, 2014."data-reference="Powersploit">^{<a href="https://github.com/mattifestation/PowerSploit" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span> Windows operating system also creates a registry key specifically associated with the creation of a scheduled task on the destination host at: Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. <span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Carvey, H.. (2014, September). Where You AT?: Indicators of Lateral Movement Using at.exe on Windows 7 Systems. Retrieved November 27, 2019."data-reference="Secureworks - AT.exe Scheduled Task">^{<a href="https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> In Linux and macOS environments, scheduled tasks using <code><a href="/versions/v15/software/S0110">at</a></code> can be audited locally, or through centrally collected logging, using syslog, or auditd events from the host. <span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Koromicha. (2019, September 7). Scheduling tasks using at command in Linux. Retrieved December 3, 2019."data-reference="Kifarunix - Task Scheduling in Linux">^{<a href="https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1053/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1053/003">Cron</a> </td> <td> <p>Review changes to the <code>cron</code> schedule. <code>cron</code> execution can be reviewed within the <code>/var/log</code> directory. To validate the location of the <code>cron</code> log file, check the syslog config at <code>/etc/rsyslog.conf</code> or <code>/etc/syslog.conf</code> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1053/005">.005</a> </td> <td> <a href="/versions/v15/techniques/T1053/005">Scheduled Task</a> </td> <td> <p>Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. <span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="PowerSploit. (n.d.). Retrieved December 4, 2014."data-reference="Powersploit">^{<a href="https://github.com/mattifestation/PowerSploit" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1593">T1593</a> </td> <td> <a href="/versions/v15/techniques/T1593">Search Open Websites/Domains</a> </td> <td> <p>Scan public code repositories for exposed credentials or other sensitive information before making commits. Ensure that any leaked credentials are removed from the commit history, not just the current latest version of the code.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1593/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1593/003">Code Repositories</a> </td> <td> <p>Scan public code repositories for exposed credentials or other sensitive information before making commits. Ensure that any leaked credentials are removed from the commit history, not just the current latest version of the code.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1505">T1505</a> </td> <td> <a href="/versions/v15/techniques/T1505">Server Software Component</a> </td> <td> <p>Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1505/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1505/001">SQL Stored Procedures</a> </td> <td> <p>Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1505/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1505/002">Transport Agent</a> </td> <td> <p>Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1505/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1505/004">IIS Components</a> </td> <td> <p>Regularly check installed IIS components to verify the integrity of the web server and identify if unexpected changes have been made.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1505/005">.005</a> </td> <td> <a href="/versions/v15/techniques/T1505/005">Terminal Services DLL</a> </td> <td> <p>Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1528">T1528</a> </td> <td> <a href="/versions/v15/techniques/T1528">Steal Application Access Token</a> </td> <td> <p>Administrators should audit all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Additionally, administrators should perform an audit of all OAuth applications and the permissions they have been granted to access organizational data. This should be done extensively on all applications in order to establish a baseline, followed up on with periodic audits of new or updated applications. Suspicious applications should be investigated and removed.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1649">T1649</a> </td> <td> <a href="/versions/v15/techniques/T1649">Steal or Forge Authentication Certificates</a> </td> <td> <p>Check and remediate unneeded existing authentication certificates as well as common abusable misconfigurations of CA settings and permissions, such as AD CS certificate enrollment permissions and published overly permissive certificate templates (which define available settings for created certificates). For example, available AD CS certificate templates can be checked via the Certificate Authority MMC snap-in (<code>certsrv.msc</code>). <code>certutil.exe</code> can also be used to examine various information within an AD CS CA database.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022."data-reference="SpecterOps Certified Pre Owned">^{<a href="https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="HarmJ0y et al. (2021, June 16). PSPKIAudit. Retrieved August 2, 2022."data-reference="GitHub PSPKIAudit">^{<a href="https://github.com/GhostPack/PSPKIAudit" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="HarmJ0y et al. (2021, June 9). Certify. Retrieved August 4, 2022."data-reference="GitHub Certify">^{<a href="https://github.com/GhostPack/Certify/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1558">T1558</a> </td> <td> <a href="/versions/v15/techniques/T1558">Steal or Forge Kerberos Tickets</a> </td> <td> <p>Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1558/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1558/004">AS-REP Roasting</a> </td> <td> <p>Kerberos preauthentication is enabled by default. Older protocols might not support preauthentication therefore it is possible to have this setting disabled. Make sure that all accounts have preauthentication whenever possible and audit changes to setting. Windows tools such as PowerShell may be used to easily find which accounts have preauthentication disabled. <span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Microsoft. (2012, July 18). Preauthentication. Retrieved August 24, 2020."data-reference="Microsoft Preauthentication Jul 2012">^{<a href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961961(v=technet.10)?redirectedfrom=MSDN" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Jeff Warren. (2019, June 27). Cracking Active Directory Passwords with AS-REP Roasting. Retrieved August 24, 2020."data-reference="Stealthbits Cracking AS-REP Roasting Jun 2019">^{<a href="https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1552">T1552</a> </td> <td> <a href="/versions/v15/techniques/T1552">Unsecured Credentials</a> </td> <td> <p>Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1552/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1552/001">Credentials In Files</a> </td> <td> <p>Preemptively search for files containing passwords and take actions to reduce the exposure risk when found.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1552/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1552/002">Credentials in Registry</a> </td> <td> <p>Proactively search for credentials within the Registry and attempt to remediate the risk.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1552/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1552/004">Private Keys</a> </td> <td> <p>Ensure only authorized keys are allowed access to critical resources and audit access lists regularly.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1552/006">.006</a> </td> <td> <a href="/versions/v15/techniques/T1552/006">Group Policy Preferences</a> </td> <td> <p>Search SYSVOL for any existing GGPs that may contain credentials and remove them.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020."data-reference="ADSecurity Finding Passwords in SYSVOL">^{<a href="https://adsecurity.org/?p=2288" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1552/008">.008</a> </td> <td> <a href="/versions/v15/techniques/T1552/008">Chat Messages</a> </td> <td> <p>Preemptively search through communication services to find shared unsecured credentials. Searching for common patterns like "<code>password is </code>", "<code>password=</code>" and take actions to reduce exposure when found. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1550">T1550</a> </td> <td> <a href="/versions/v15/techniques/T1550">Use Alternate Authentication Material</a> </td> <td> <p>Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1550/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1550/001">Application Access Token</a> </td> <td> <p>Administrators should audit all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Where possible, the ability to request temporary account tokens on behalf of another accounts should be disabled. Additionally, administrators can leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1204">T1204</a> </td> <td> <a href="/versions/v15/techniques/T1204/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1204">User Execution</a>: <a href="/versions/v15/techniques/T1204/003">Malicious Image</a> </td> <td> <p>Audit images deployed within the environment to ensure they do not contain any malicious components.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://github.com/hfiref0x/UACME" target="_blank"> UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/" target="_blank"> Phil Stokes. (2021, July 1). Bypassing macOS TCC User Privacy Protections By Accident and Design. Retrieved March 21, 2024. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/" target="_blank"> Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF" target="_blank"> National Security Agency, Cybersecurity and Infrastructure Security Agency. (2022, March). Kubernetes Hardening Guide. Retrieved April 1, 2022. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://github.com/BloodHoundAD/BloodHound" target="_blank"> Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/" target="_blank"> McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules" target="_blank"> Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://docs.microsoft.com/en-us/powershell/module/exchange/get-inboxrule?view=exchange-ps" target="_blank"> Microsoft. (n.d.). Get-InboxRule. Retrieved June 10, 2021. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/" target="_blank"> Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.troopers.de/troopers19/agenda/fpxwmn/" target="_blank"> Bierstock, D., Baker, A. (2019, March 21). I am AD FS and So Can You. Retrieved December 17, 2020. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://github.com/mattifestation/PowerSploit" target="_blank"> PowerSploit. (n.d.). Retrieved December 4, 2014. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="http://msdn.microsoft.com/en-us/library/ms682425" target="_blank"> Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security?redirectedfrom=MSDN" target="_blank"> Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://skanthak.homepage.t-online.de/sentinel.html" target="_blank"> Kanthak, S.. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://docs.microsoft.com/windows-server/administration/windows-commands/sxstrace" target="_blank"> Gerend, J. et al.. (2017, October 16). sxstrace. Retrieved April 26, 2021. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="16.0"> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors" target="_blank"> Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/" target="_blank"> Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM鈥檚 post-compromise trick to authenticate as anyone. Retrieved September 28, 2022. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.mandiant.com/resources/blog/cloud-bad-log-configurations" target="_blank"> Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#30" target="_blank"> Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Image File Integrity. Retrieved October 21, 2020. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#7" target="_blank"> Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#31" target="_blank"> Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Change Control. Retrieved October 21, 2020. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems" target="_blank"> Carvey, H.. (2014, September). Where You AT?: Indicators of Lateral Movement Using at.exe on Windows 7 Systems. Retrieved November 27, 2019. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/" target="_blank"> Koromicha. (2019, September 7). Scheduling tasks using at command in Linux. Retrieved December 3, 2019. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf" target="_blank"> Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://github.com/GhostPack/PSPKIAudit" target="_blank"> HarmJ0y et al. (2021, June 16). PSPKIAudit. Retrieved August 2, 2022. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://github.com/GhostPack/Certify/" target="_blank"> HarmJ0y et al. (2021, June 9). Certify. Retrieved August 4, 2022. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961961(v=technet.10)?redirectedfrom=MSDN" target="_blank"> Microsoft. (2012, July 18). Preauthentication. Retrieved August 24, 2020. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/" target="_blank"> Jeff Warren. (2019, June 27). Cracking Active Directory Passwords with AS-REP Roasting. Retrieved August 24, 2020. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://adsecurity.org/?p=2288" target="_blank"> Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v15/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v15/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v15.1&#013;Website v4.1.6">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v15/theme/scripts/popper.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v15/theme/scripts/site.js?5127"></script> <script src="/versions/v15/theme/scripts/settings.js?6744"></script> <script src="/versions/v15/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/sidebar-load-all.js"></script> </body> </html>