Skip to content

M1042 Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Item Value
ID M1042
Version 1.1
Created 11 June 2019
Last Modified 31 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1098 Account Manipulation -
enterprise T1098.002 Additional Email Delegate Permissions If email delegation is not required, disable it. In Google Workspace this can be accomplished through the Google Admin console.11
enterprise T1098.004 SSH Authorized Keys Disable SSH if it is not necessary on a host or restrict SSH access for specific users/groups using /etc/ssh/sshd_config.
enterprise T1595 Active Scanning -
enterprise T1595.003 Wordlist Scanning Remove or disable access to any systems, resources, and infrastructure that are not explicitly required to be available externally.
enterprise T1557 Adversary-in-the-Middle Disable legacy network protocols that may be used to intercept network traffic if applicable, especially those that are not needed within an environment.
enterprise T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. 8
enterprise T1557.002 ARP Cache Poisoning Consider disabling updating the ARP cache on gratuitous ARP replies.
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.007 Re-opened Applications This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no.
enterprise T1059 Command and Scripting Interpreter Disable or remove any unnecessary or unused shells or interpreters.
enterprise T1059.001 PowerShell It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions.
enterprise T1059.005 Visual Basic Turn off or restrict access to unneeded VB components.
enterprise T1059.007 JavaScript Turn off or restrict access to unneeded scripting components.
enterprise T1092 Communication Through Removable Media Disable Autoruns if it is unnecessary.14
enterprise T1609 Container Administration Command Remove unnecessary tools and software from containers.
enterprise T1555 Credentials from Password Stores -
enterprise T1555.004 Windows Credential Manager Consider enabling the “Network access: Do not allow storage of passwords and credentials for network authentication” setting that will prevent network credentials from being stored by the Credential Manager.17
enterprise T1114 Email Collection -
enterprise T1114.003 Email Forwarding Rule Consider disabling external email forwarding.18
enterprise T1611 Escape to Host Remove unnecessary tools and software from containers.
enterprise T1546 Event Triggered Execution -
enterprise T1546.002 Screensaver Use Group Policy to disable screensavers if they are unnecessary.5
enterprise T1546.014 Emond Consider disabling emond by removing the Launch Daemon plist file.
enterprise T1011 Exfiltration Over Other Network Medium -
enterprise T1011.001 Exfiltration Over Bluetooth Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment.
enterprise T1052 Exfiltration Over Physical Medium Disable Autorun if it is unnecessary. 14 Disallow or restrict removable media at an organizational policy level if they are not required for business operations. 15
enterprise T1052.001 Exfiltration over USB Disable Autorun if it is unnecessary. 14 Disallow or restrict removable media at an organizational policy level if they are not required for business operations. 15
enterprise T1210 Exploitation of Remote Services Minimize available services to only those that are necessary.
enterprise T1133 External Remote Services Disable or block remotely available services that may be unnecessary.
enterprise T1564 Hide Artifacts -
enterprise T1564.006 Run Virtual Instance Disable Hyper-V if not necessary within a given environment.
enterprise T1564.007 VBA Stomping Turn off or restrict access to unneeded VB components.19
enterprise T1562 Impair Defenses -
enterprise T1562.010 Downgrade Attack Consider removing previous versions of tools that are unnecessary to the environment when possible.
enterprise T1559 Inter-Process Communication Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. 123 Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.4
enterprise T1559.002 Dynamic Data Exchange Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. 123 Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.4
enterprise T1046 Network Service Discovery Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.
enterprise T1137 Office Application Startup Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing.
enterprise T1137.001 Office Template Macros Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing.
enterprise T1563 Remote Service Session Hijacking Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary.
enterprise T1563.001 SSH Hijacking Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. 12
enterprise T1563.002 RDP Hijacking Disable the RDP service if it is unnecessary.
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Disable the RDP service if it is unnecessary.
enterprise T1021.003 Distributed Component Object Model Consider disabling DCOM through Dcomcnfg.exe.22
enterprise T1021.004 SSH Disable the SSH daemon on systems that do not require it. For macOS ensure Remote Login is disabled under Sharing Preferences.6
enterprise T1021.005 VNC Uninstall any VNC server software where not required.
enterprise T1021.006 Windows Remote Management Disable the WinRM service.
enterprise T1091 Replication Through Removable Media Disable Autorun if it is unnecessary. 14 Disallow or restrict removable media at an organizational policy level if it is not required for business operations. 15
enterprise T1505 Server Software Component Consider disabling software components from servers when possible to prevent abuse by adversaries.16
enterprise T1505.003 Web Shell Consider disabling functions from web technologies such as PHP’s eval() that may be abused for web shells.16
enterprise T1649 Steal or Forge Authentication Certificates Consider disabling old/dangerous authentication protocols (e.g. NTLM), as well as unnecessary certificate features, such as potentially vulnerable AD CS web and other enrollment server roles.20
enterprise T1553 Subvert Trust Controls -
enterprise T1553.005 Mark-of-the-Web Bypass Consider disabling auto-mounting of disk image files (i.e., .iso, .img, .vhd, and .vhdx). This can be achieved by modifying the Registry values related to the Windows Explorer file associations in order to disable the automatic Explorer “Mount and Burn” dialog for these file extensions. Note: this will not deactivate the mount functionality itself.7
enterprise T1218 System Binary Proxy Execution Many native binaries may not be necessary within a given environment.
enterprise T1218.003 CMSTP CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation).
enterprise T1218.004 InstallUtil InstallUtil may not be necessary within a given environment.
enterprise T1218.005 Mshta Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life.
enterprise T1218.007 Msiexec Consider disabling the AlwaysInstallElevated policy to prevent elevated execution of Windows Installer packages.9
enterprise T1218.008 Odbcconf Odbcconf.exe may not be necessary within a given environment.
enterprise T1218.009 Regsvcs/Regasm Regsvcs and Regasm may not be necessary within a given environment.
enterprise T1218.012 Verclsid Consider removing verclsid.exe if it is not necessary within a given environment.
enterprise T1218.013 Mavinject Consider removing mavinject.exe if Microsoft App-V is not used within a given environment.
enterprise T1218.014 MMC MMC may not be necessary within a given environment since it is primarily used by system administrators, not regular users or clients.
enterprise T1221 Template Injection Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents 13, though this setting may not mitigate the Forced Authentication use for this technique.
enterprise T1205 Traffic Signaling Disable Wake-on-LAN if it is not needed within an environment.
enterprise T1127 Trusted Developer Utilities Proxy Execution Specific developer utilities may not be necessary within a given environment and should be removed if not used.
enterprise T1127.001 MSBuild MSBuild.exe may not be necessary within an environment and should be removed if not being used.
enterprise T1552 Unsecured Credentials -
enterprise T1552.005 Cloud Instance Metadata API Disable unnecessary metadata services and restrict or disable insecure versions of metadata services that are in use to prevent adversary access.10

References

  1. Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017. 

  2. Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017. 

  3. Dormann, W. (2017, October 20). Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016. Retrieved February 3, 2018. 

  4. Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018. 

  5. Microsoft. (n.d.). Customizing the Desktop. Retrieved December 5, 2017. 

  6. Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021. 

  7. wdormann. (2019, August 29). Disable Windows Explorer file associations for Disc Image Mount. Retrieved April 16, 2022. 

  8. Metcalf, S. (2016, October 21). Securing Windows Workstations: Developing a Secure Baseline. Retrieved November 17, 2017. 

  9. Microsoft. (2018, May 31). AlwaysInstallElevated. Retrieved December 14, 2020. 

  10. MacCarthaigh, C. (2019, November 19). Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service. Retrieved October 14, 2020. 

  11. Google. (n.d.). Turn Gmail delegation on or off. Retrieved April 1, 2022. 

  12. Hatch, B. (2004, November 22). SSH and ssh-agent. Retrieved January 8, 2018. 

  13. Microsoft. (n.d.). Enable or disable macros in Office files. Retrieved September 13, 2018. 

  14. Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016. 

  15. Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016. 

  16. Kondratiev, A. (n.d.). Disabling dangerous PHP functions. Retrieved July 26, 2021. 

  17. Microsoft. (2016, August 31). Network access: Do not allow storage of passwords and credentials for network authentication. Retrieved November 23, 2020. 

  18. Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021. 

  19. Microsoft. (2020, January 23). How to turn off Visual Basic for Applications when you deploy Office. Retrieved September 17, 2020. 

  20. Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022. 

  21. Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved July 3, 2017. 

  22. Microsoft. (n.d.). Enable or Disable DCOM. Retrieved November 22, 2017.