Skip to content

M1050 Exploit Protection

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Item Value
ID M1050
Version 1.1
Created 11 June 2019
Last Modified 20 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1189 Drive-by Compromise Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. 1 Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. 2 Many of these protections depend on the architecture and target application binary for compatibility.
enterprise T1190 Exploit Public-Facing Application Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.
enterprise T1203 Exploitation for Client Execution Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. 1 Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. 2 Many of these protections depend on the architecture and target application binary for compatibility.
enterprise T1212 Exploitation for Credential Access Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior.1 Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring.2 Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.
enterprise T1211 Exploitation for Defense Evasion Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. 1 Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. 2 Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.
enterprise T1068 Exploitation for Privilege Escalation Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. 1 Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. 2 Many of these protections depend on the architecture and target application binary for compatibility and may not work for software components targeted for privilege escalation.
enterprise T1210 Exploitation of Remote Services Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. 1 Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. 2 Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.
enterprise T1218 System Binary Proxy Execution Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using using trusted binaries to bypass application control.
enterprise T1218.010 Regsvr32 Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass application control. 3 Identify and block potentially malicious software executed through regsvr32 functionality by using application control 4 tools, like Windows Defender Application Control5, AppLocker, 6 7 or Software Restriction Policies 8 where appropriate. 9
enterprise T1218.011 Rundll32 Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control.
enterprise T1080 Taint Shared Content Use utilities that detect or mitigate common features used in exploitation, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET).

References

Back to top