M1021 Restrict Web-Based Content
Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:
Deploy Web Proxy Filtering:
- Use solutions to filter web traffic based on categories, reputation, and content types.
- Enforce policies that block unsafe websites or file types at the gateway level.
Enable DNS-Based Filtering:
- Implement tools to restrict access to domains associated with malware or phishing campaigns.
- Use public DNS filtering services to enhance protection.
Enforce Content Security Policies (CSP):
- Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.
Control Browser Features:
- Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting.
- Enforce policies through tools like Group Policy Management to control browser settings.
Monitor and Alert on Web-Based Threats:
- Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity.
- Configure alerts for access attempts to blocked domains or repeated file download failures.
| Item | Value |
|---|---|
| ID | M1021 |
| Version | 1.1 |
| Created | 06 June 2019 |
| Last Modified | 24 December 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. |
| enterprise | T1059.005 | Visual Basic | Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. |
| enterprise | T1059.007 | JavaScript | Script blocking extensions can help prevent the execution of JavaScript and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. |
| enterprise | T1659 | Content Injection | Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns. |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Restrict or block web-based content that could be used to extract session cookies or credentials stored in browsers. Use browser security settings, such as disabling third-party cookies and restricting browser extensions, to limit the attack surface. |
| enterprise | T1189 | Drive-by Compromise | Adblockers can help prevent malicious code served through ads from executing in the first place. Script blocking extensions can also help to prevent the execution of JavaScript. |
| enterprise | T1568 | Dynamic Resolution | In some cases a local DNS sinkhole may be used to help prevent behaviors associated with dynamic resolution. |
| enterprise | T1568.002 | Domain Generation Algorithms | In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost. |
| enterprise | T1567 | Exfiltration Over Web Service | Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
| enterprise | T1567.001 | Exfiltration to Code Repository | Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
| enterprise | T1567.002 | Exfiltration to Cloud Storage | Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
| enterprise | T1567.003 | Exfiltration to Text Storage Sites | Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
| enterprise | T1133 | External Remote Services | Restrict all traffic to and from public Tor nodes. 1 |
| enterprise | T1566 | Phishing | Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. |
| enterprise | T1566.001 | Spearphishing Attachment | Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments. |
| enterprise | T1566.002 | Spearphishing Link | Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. |
| enterprise | T1566.003 | Spearphishing via Service | Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. |
| enterprise | T1528 | Steal Application Access Token | Administrators can block end-user consent to OAuth applications, disabling users from authorizing third-party apps through OAuth 2.0 and forcing administrative consent for all requests. They can also block end-user registration of applications by their users, to reduce risk. A Cloud Access Security Broker can also be used to ban applications. |
| enterprise | T1539 | Steal Web Session Cookie | Restrict or block web-based content that could be used to extract session cookies or credentials stored in browsers. Use browser security settings, such as disabling third-party cookies and restricting browser extensions, to limit the attack surface. |
| enterprise | T1218 | System Binary Proxy Execution | Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. |
| enterprise | T1218.001 | Compiled HTML File | Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files |
| enterprise | T1127 | Trusted Developer Utilities Proxy Execution | Consider disabling software installation or execution from the internet via developer utilities. |
| enterprise | T1127.002 | ClickOnce | Disable ClickOnce installations from the internet using the following registry key: |
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\TrustManager\PromptingLevel — Internet:Disabled6 |
|||
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.001 | Application Access Token | Update corporate policies to restrict what types of third-party applications may be added to any online service or tool that is linked to the company’s information, accounts or network (e.g., Google, Microsoft, Dropbox, Basecamp, GitHub). However, rather than providing high-level guidance on this, be extremely specific—include a list of per-approved applications and deny all others not on the list. Administrators may also block end-user consent through administrative portals, such as the Azure Portal, disabling users from authorizing third-party apps through OAuth and forcing administrative consent.5 |
| enterprise | T1204 | User Execution | If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files. |
| enterprise | T1204.001 | Malicious Link | If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files. |
| enterprise | T1204.004 | Malicious Copy and Paste | If a link is being requested by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. |
| enterprise | T1102 | Web Service | Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services. |
| enterprise | T1102.001 | Dead Drop Resolver | Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services. |
| enterprise | T1102.002 | Bidirectional Communication | Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services. |
| enterprise | T1102.003 | One-Way Communication | Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services. |
References
-
CISA, FBI. (2020, July 1). Defending Against Malicious Cyber Activity Originating from Tor . Retrieved June 20, 2025. ↩
-
Dan Virgillito. (2022, January 27). Malicious push notifications: Is that a real or fake Windows Defender update?. Retrieved March 14, 2025. ↩
-
David Balaban. (2022, October 7). Remove Guroshied virus popup from Mac. Retrieved March 14, 2025. ↩
-
Frank Angiolelli, Indelible LLC, Malwarebytes, McAfee, Norton, Pieter Arntz, PushWelcome. (2020, November 17). Be Very Sparing in Allowing Site Notifications. Retrieved March 14, 2025. ↩
-
Baldwin, M., Flores, J., Kess, B.. (2018, June 17). Five steps to securing your identity infrastructure. Retrieved October 4, 2019. ↩
-
Ryan Gandrud. (2015, March 23). All You Need Is One – A ClickOnce Love Story. Retrieved September 9, 2024. ↩