M1051 Update Software
Perform regular software updates to mitigate exploitation risk.
| Item | Value |
|---|---|
| ID | M1051 |
| Version | 1.0 |
| Created | 11 June 2019 |
| Last Modified | 07 July 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.4 |
| enterprise | T1176 | Browser Extensions | Ensure operating systems and browsers are using the most current version. |
| enterprise | T1110 | Brute Force | - |
| enterprise | T1110.001 | Password Guessing | Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords. |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.005 | Password Managers | Update password managers regularly by employing patch management for internal enterprise endpoints and servers. |
| enterprise | T1602 | Data from Configuration Repository | Keep system images and software updated and migrate to SNMPv3.1 |
| enterprise | T1602.001 | SNMP (MIB Dump) | Keep system images and software updated and migrate to SNMPv3.1 |
| enterprise | T1602.002 | Network Device Configuration Dump | Keep system images and software updated and migrate to SNMPv3.1 |
| enterprise | T1189 | Drive-by Compromise | Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on. |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.010 | AppInit DLLs | Upgrade to Windows 8 or later and enable secure boot. |
| enterprise | T1546.011 | Application Shimming | Microsoft released an optional patch update - KB3045645 - that will remove the “auto-elevate” flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC. |
| enterprise | T1190 | Exploit Public-Facing Application | Update software regularly by employing patch management for externally exposed applications. |
| enterprise | T1212 | Exploitation for Credential Access | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| enterprise | T1211 | Exploitation for Defense Evasion | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| enterprise | T1068 | Exploitation for Privilege Escalation | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| enterprise | T1210 | Exploitation of Remote Services | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| enterprise | T1495 | Firmware Corruption | Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities. |
| enterprise | T1574 | Hijack Execution Flow | Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
| enterprise | T1574.002 | DLL Side-Loading | Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
| enterprise | T1137 | Office Application Startup | For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.2 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.3 |
| enterprise | T1137.003 | Outlook Forms | For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.2 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.3 |
| enterprise | T1137.004 | Outlook Home Page | For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.2 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.3 |
| enterprise | T1137.005 | Outlook Rules | For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.2 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.3 |
| enterprise | T1542 | Pre-OS Boot | Patch the BIOS and EFI as necessary. |
| enterprise | T1542.001 | System Firmware | Patch the BIOS and EFI as necessary. |
| enterprise | T1542.002 | Component Firmware | Perform regular firmware updates to mitigate risks of exploitation and/or abuse. |
| enterprise | T1072 | Software Deployment Tools | Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation. |
| enterprise | T1195 | Supply Chain Compromise | A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
| enterprise | T1195.001 | Compromise Software Dependencies and Development Tools | A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
| enterprise | T1195.002 | Compromise Software Supply Chain | A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation. |
| enterprise | T1552 | Unsecured Credentials | Apply patch KB2962486 which prevents credentials from being stored in GPPs.56 |
| enterprise | T1552.006 | Group Policy Preferences | Apply patch KB2962486 which prevents credentials from being stored in GPPs.56 |
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.002 | Pass the Hash | Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.7 |
References
-
Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. ↩↩↩
-
Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019. ↩↩↩↩
-
Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019. ↩↩↩↩
-
UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016. ↩
-
Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020. ↩↩
-
Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020. ↩↩
-
National Security Agency/Central Security Service Information Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows Event Log Monitoring. Retrieved September 6, 2018. ↩