M1051 Update Software
Software updates ensure systems are protected against known vulnerabilities by applying patches and upgrades provided by vendors. Regular updates reduce the attack surface and prevent adversaries from exploiting known security gaps. This includes patching operating systems, applications, drivers, and firmware. This mitigation can be implemented through the following measures:
Regular Operating System Updates
- Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance windows.
- Use Case: Prevents exploitation of OS vulnerabilities such as privilege escalation or remote code execution.
Application Patching
- Implementation: Monitor Apache’s update release notes for security patches addressing vulnerabilities. Schedule updates for off-peak hours to avoid downtime while maintaining security compliance.
- Use Case: Prevents exploitation of web application vulnerabilities, such as those leading to unauthorized access or data breaches.
Firmware Updates
- Implementation: Regularly check the vendor’s website for firmware updates addressing vulnerabilities. Plan for update deployment during scheduled maintenance to minimize business disruption.
- Use Case: Protects against vulnerabilities that adversaries could exploit to gain access to network devices or inject malicious traffic.
Emergency Patch Deployment
- Implementation: Use the emergency patch deployment feature of the organization’s patch management tool to apply updates to all affected Exchange servers within 24 hours.
- Use Case: Reduces the risk of exploitation by rapidly addressing critical vulnerabilities.
Centralized Patch Management
- Implementation: Implement a centralized patch management system, such as SCCM or ManageEngine, to automate and track patch deployment across all environments. Generate regular compliance reports to ensure all systems are updated.
- Use Case: Streamlines patching processes and ensures no critical systems are missed.
Tools for Implementation
Patch Management Tools:
- WSUS: Manage and deploy Microsoft updates across the organization.
- ManageEngine Patch Manager Plus: Automate patch deployment for OS and third-party apps.
- Ansible: Automate updates across multiple platforms, including Linux and Windows.
Vulnerability Scanning Tools:
- OpenVAS: Open-source vulnerability scanning to identify missing patches.
| Item | Value |
|---|---|
| ID | M1051 |
| Version | 1.1 |
| Created | 11 June 2019 |
| Last Modified | 24 December 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | Perform regular software updates to mitigate exploitation risk. |
| enterprise | T1548.002 | Bypass User Account Control | Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.4 |
| enterprise | T1110 | Brute Force | - |
| enterprise | T1110.001 | Password Guessing | Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords. |
| enterprise | T1555 | Credentials from Password Stores | Perform regular software updates to mitigate exploitation risk. |
| enterprise | T1555.003 | Credentials from Web Browsers | Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. |
| enterprise | T1555.005 | Password Managers | Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. |
| enterprise | T1602 | Data from Configuration Repository | Keep system images and software updated and migrate to SNMPv3.5 |
| enterprise | T1602.001 | SNMP (MIB Dump) | Keep system images and software updated and migrate to SNMPv3.5 |
| enterprise | T1602.002 | Network Device Configuration Dump | Keep system images and software updated and migrate to SNMPv3.5 |
| enterprise | T1189 | Drive-by Compromise | Ensuring that all browsers and plugins are kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on.8 |
| enterprise | T1611 | Escape to Host | Ensure that hosts are kept up-to-date with security patches. |
| enterprise | T1546 | Event Triggered Execution | Perform regular software updates to mitigate exploitation risk. |
| enterprise | T1546.010 | AppInit DLLs | Upgrade to Windows 8 or later and enable secure boot. |
| enterprise | T1546.011 | Application Shimming | Microsoft released an optional patch update - KB3045645 - that will remove the “auto-elevate” flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC. |
| enterprise | T1190 | Exploit Public-Facing Application | Update software regularly by employing patch management for externally exposed applications. |
| enterprise | T1203 | Exploitation for Client Execution | Perform regular software updates to mitigate exploitation risk. Keeping software up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities in client software, reducing the risk of successful attacks. |
| enterprise | T1212 | Exploitation for Credential Access | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| enterprise | T1211 | Exploitation for Defense Evasion | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| enterprise | T1068 | Exploitation for Privilege Escalation | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| enterprise | T1210 | Exploitation of Remote Services | Update software regularly by employing patch management for internal enterprise endpoints and servers. |
| enterprise | T1495 | Firmware Corruption | Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities. |
| enterprise | T1574 | Hijack Execution Flow | Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
| enterprise | T1574.001 | DLL | Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.013 | Disable or Modify Network Device Firewall | Ensure the network firewall is up to date with security patches. |
| enterprise | T1137 | Office Application Startup | For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.6 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.7 |
| enterprise | T1137.003 | Outlook Forms | For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.6 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.7 |
| enterprise | T1137.004 | Outlook Home Page | For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.6 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.7 |
| enterprise | T1137.005 | Outlook Rules | For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.6 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.7 |
| enterprise | T1542 | Pre-OS Boot | Patch the BIOS and EFI as necessary. |
| enterprise | T1542.001 | System Firmware | Patch the BIOS and EFI as necessary. |
| enterprise | T1542.002 | Component Firmware | Perform regular firmware updates to mitigate risks of exploitation and/or abuse. |
| enterprise | T1072 | Software Deployment Tools | Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation. |
| enterprise | T1176 | Software Extensions | Ensure operating systems and software are using the most current version. |
| enterprise | T1176.001 | Browser Extensions | Ensure operating systems and browsers are using the most current version. |
| enterprise | T1176.002 | IDE Extensions | Ensure operating systems and IDEs are using the most current version. |
| enterprise | T1539 | Steal Web Session Cookie | Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies. |
| enterprise | T1195 | Supply Chain Compromise | A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
| enterprise | T1195.001 | Compromise Software Dependencies and Development Tools | A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. |
| enterprise | T1195.002 | Compromise Software Supply Chain | A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation. |
| enterprise | T1552 | Unsecured Credentials | Apply patch KB2962486 which prevents credentials from being stored in GPPs.23 |
| enterprise | T1552.006 | Group Policy Preferences | Apply patch KB2962486 which prevents credentials from being stored in GPPs.23 |
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.002 | Pass the Hash | Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.1 |
References
-
National Security Agency/Central Security Service Information Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows Event Log Monitoring. Retrieved September 6, 2018. ↩
-
Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020. ↩↩
-
Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020. ↩↩
-
UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016. ↩
-
Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. ↩↩↩
-
Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019. ↩↩↩↩
-
Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019. ↩↩↩↩
-
Dusty Miller. (2023, October 17). Are You Sure Your Browser is Up to Date? The Current Landscape of Fake Browser Updates . Retrieved February 13, 2024. ↩