Skip to content

M1051 Update Software

Perform regular software updates to mitigate exploitation risk.

Item Value
ID M1051
Version 1.0
Created 11 June 2019
Last Modified 07 July 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.4
enterprise T1176 Browser Extensions Ensure operating systems and browsers are using the most current version.
enterprise T1110 Brute Force -
enterprise T1110.001 Password Guessing Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords.
enterprise T1555 Credentials from Password Stores -
enterprise T1555.005 Password Managers Update password managers regularly by employing patch management for internal enterprise endpoints and servers.
enterprise T1602 Data from Configuration Repository Keep system images and software updated and migrate to SNMPv3.3
enterprise T1602.001 SNMP (MIB Dump) Keep system images and software updated and migrate to SNMPv3.3
enterprise T1602.002 Network Device Configuration Dump Keep system images and software updated and migrate to SNMPv3.3
enterprise T1189 Drive-by Compromise Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on.
enterprise T1546 Event Triggered Execution -
enterprise T1546.010 AppInit DLLs Upgrade to Windows 8 or later and enable secure boot.
enterprise T1546.011 Application Shimming Microsoft released an optional patch update - KB3045645 - that will remove the “auto-elevate” flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC.
enterprise T1190 Exploit Public-Facing Application Update software regularly by employing patch management for externally exposed applications.
enterprise T1212 Exploitation for Credential Access Update software regularly by employing patch management for internal enterprise endpoints and servers.
enterprise T1211 Exploitation for Defense Evasion Update software regularly by employing patch management for internal enterprise endpoints and servers.
enterprise T1068 Exploitation for Privilege Escalation Update software regularly by employing patch management for internal enterprise endpoints and servers.
enterprise T1210 Exploitation of Remote Services Update software regularly by employing patch management for internal enterprise endpoints and servers.
enterprise T1495 Firmware Corruption Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities.
enterprise T1574 Hijack Execution Flow Update software regularly to include patches that fix DLL side-loading vulnerabilities.
enterprise T1574.002 DLL Side-Loading Update software regularly to include patches that fix DLL side-loading vulnerabilities.
enterprise T1137 Office Application Startup For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.1 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.2
enterprise T1137.003 Outlook Forms For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.1 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.2
enterprise T1137.004 Outlook Home Page For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.1 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.2
enterprise T1137.005 Outlook Rules For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.1 Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.2
enterprise T1542 Pre-OS Boot Patch the BIOS and EFI as necessary.
enterprise T1542.001 System Firmware Patch the BIOS and EFI as necessary.
enterprise T1542.002 Component Firmware Perform regular firmware updates to mitigate risks of exploitation and/or abuse.
enterprise T1072 Software Deployment Tools Patch deployment systems regularly to prevent potential remote access through Exploitation for Privilege Escalation.
enterprise T1195 Supply Chain Compromise A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.
enterprise T1195.001 Compromise Software Dependencies and Development Tools A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.
enterprise T1195.002 Compromise Software Supply Chain A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation.
enterprise T1552 Unsecured Credentials Apply patch KB2962486 which prevents credentials from being stored in GPPs.56
enterprise T1552.006 Group Policy Preferences Apply patch KB2962486 which prevents credentials from being stored in GPPs.56
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.7

References

Back to top