Skip to content

M1054 Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

Item Value
ID M1054
Version 1.1
Created 19 July 2019
Last Modified 31 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1555 Credentials from Password Stores -
enterprise T1555.005 Password Managers Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases.
enterprise T1602 Data from Configuration Repository Allowlist MIB objects and implement SNMP views.1
enterprise T1602.001 SNMP (MIB Dump) Allowlist MIB objects and implement SNMP views.1
enterprise T1602.002 Network Device Configuration Dump Allowlist MIB objects and implement SNMP views. Disable Smart Install (SMI) if not used.19
enterprise T1546 Event Triggered Execution -
enterprise T1546.013 PowerShell Profile Avoid PowerShell profiles if not needed. Use the -No Profile flag with when executing PowerShell scripts remotely to prevent local profiles and scripts from being executed.
enterprise T1606 Forge Web Credentials Configure browsers/applications to regularly delete persistent web credentials (such as cookies).
enterprise T1606.001 Web Cookies Configure browsers/applications to regularly delete persistent web cookies.
enterprise T1562 Impair Defenses -
enterprise T1562.006 Indicator Blocking Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.
enterprise T1562.009 Safe Mode Boot Ensure that endpoint defenses run in safe mode.8
enterprise T1559 Inter-Process Communication Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.67
enterprise T1559.002 Dynamic Data Exchange Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.67
enterprise T1137 Office Application Startup For the Office Test method, create the Registry key used to execute it and set the permissions to “Read Control” to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. 10
enterprise T1137.002 Office Test Create the Registry key used to execute it and set the permissions to “Read Control” to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.10
enterprise T1566 Phishing Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.23
enterprise T1566.001 Spearphishing Attachment Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.23
enterprise T1566.002 Spearphishing Link Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.23.
enterprise T1598 Phishing for Information Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.23
enterprise T1598.002 Spearphishing Attachment Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.23
enterprise T1598.003 Spearphishing Link Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.23
enterprise T1539 Steal Web Session Cookie Configure browsers or tasks to regularly delete persistent cookies.
enterprise T1553 Subvert Trust Controls HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. 5
enterprise T1553.004 Install Root Certificate HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. 5
enterprise T1535 Unused/Unsupported Cloud Regions Cloud service providers may allow customers to deactivate unused regions.4
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.004 Web Session Cookie Configure browsers or tasks to regularly delete persistent cookies.

References