M0948 Application Isolation and Sandboxing
Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.
Techniques Addressed by Mitigation
Domain |
ID |
Name |
Use |
ics |
T0817 |
Drive-by Compromise |
Built-in browser sandboxes and application isolation may be used to contain web-based malware. |
|
|
|
|
ics |
T0819 |
Exploit Public-Facing Application |
Application isolation will limit the other processes and system features an exploited target can access. Examples of built in features are software restriction policies, AppLocker for Windows, and SELinux or AppArmor for Linux. |
|
|
|
|
ics |
T0820 |
Exploitation for Evasion |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. |
|
|
|
|
ics |
T0890 |
Exploitation for Privilege Escalation |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. |
|
|
|
|
ics |
T0866 |
Exploitation of Remote Services |
Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. |
|
|
|
|
ics |
T0853 |
Scripting |
Consider the use of application isolation and sandboxing to restrict specific operating system interactions such as access through user accounts, services, system calls, registry, and network access. This may be even more useful in cases where the source of the executed script is unknown. |
|
|
|
|
References