Skip to content

M1021 Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Item Value
ID M1021
Version 1.0
Created 06 June 2019
Last Modified 06 June 2019
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.
enterprise T1059.005 Visual Basic Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.
enterprise T1059.007 JavaScript Script blocking extensions can help prevent the execution of JavaScript and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.
enterprise T1189 Drive-by Compromise For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.
enterprise T1568 Dynamic Resolution In some cases a local DNS sinkhole may be used to help prevent behaviors associated with dynamic resolution.
enterprise T1568.002 Domain Generation Algorithms In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.
enterprise T1567 Exfiltration Over Web Service Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.
enterprise T1567.001 Exfiltration to Code Repository Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.
enterprise T1567.002 Exfiltration to Cloud Storage Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.
enterprise T1567.003 Exfiltration to Text Storage Sites Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.
enterprise T1566 Phishing Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
enterprise T1566.001 Spearphishing Attachment Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments.
enterprise T1566.002 Spearphishing Link Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
enterprise T1566.003 Spearphishing via Service Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
enterprise T1528 Steal Application Access Token Administrators can block end-user consent to OAuth applications, disabling users from authorizing third-party apps through OAuth 2.0 and forcing administrative consent for all requests. They can also block end-user registration of applications by their users, to reduce risk. A Cloud Access Security Broker can also be used to ban applications.
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.001 Compiled HTML File Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.001 Application Access Token Update corporate policies to restrict what types of third-party applications may be added to any online service or tool that is linked to the company’s information, accounts or network (e.g., Google, Microsoft, Dropbox, Basecamp, GitHub). However, rather than providing high-level guidance on this, be extremely specific—include a list of per-approved applications and deny all others not on the list. Administrators may also block end-user consent through administrative portals, such as the Azure Portal, disabling users from authorizing third-party apps through OAuth and forcing administrative consent.1
enterprise T1204 User Execution If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.
enterprise T1204.001 Malicious Link If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.
enterprise T1102 Web Service Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services.
enterprise T1102.001 Dead Drop Resolver Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services.
enterprise T1102.002 Bidirectional Communication Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services.
enterprise T1102.003 One-Way Communication Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services.

References