Introduction
The MITRE ATT&CK® Matrix for Enterprise is a collection of known cyberattack techniques based on real-world observations. It is broken down into 14 separate tactics. Each of the 14 tactics is further broken down into specific techniques that have been used to achieve that tactic. MITRE then lists mitigations for each technique unless no mitigations currently exist.
When properly configured, the ThreatLocker® Endpoint Security Platform can be used to assist in mitigating many of the techniques. We have done our best to identify the specific mitigation techniques supported by ThreatLocker. Where a tactic or technique is not listed, ThreatLocker does not currently support mitigations of that tactic or technique.
For more information on the MITRE ATT&CK® Matrix please visit: https://attack.mitre.org/
Initial Access
Drive-By Compromise – “Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.”
- M1050 Exploit Protection – ThreatLocker Allowlisting blocks all unpermitted software, libraries and scripts by default. ThreatLocker Ringfencing provides boundaries that prevent applications from interacting with other applications, your files, the registry, and the internet.
- M1021 Restrict Web-Based content – ThreatLocker Allowlisting blocks all unapproved scripts from executing by default.
Exploit Public-Facing Application – “Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.“
- M1048 Application Isolation and Sandboxing – ThreatLocker Ringfencing can provide boundaries that limit what an application has access to, to limit what processes and system features can be accessed in the event of successful exploitation of the application.
External Remote Services – “Adversaries may leverage external-facing remote services to initially access and/or persist within a network.”
- M1042 Disable or Remove Feature or Program – Using Network Control, create a policy to block all inbound traffic, and then permit access to each resource per port, and all unpermitted ports will remain closed.
- M1030 Network Segmentation – Use Network Control to control access to internal systems that have the ThreatLocker agent installed. Create a policy to block all inbound traffic and then permit only specific devices to access to internal systems and via only the ports you specify.
Hardware Additions – “Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access.”
- M1035 Limit Access to Resource over Network – Use Network Control to prevent unapproved devices from communicating with trusted systems.
- M1034 Limit Hardware Installation – Block unknown devices and accessories (IoT devices) by using Network Control.
Phishing – “Adversaries may send phishing messages to gain access to victim systems.”
- M1049 Antivirus/Antimalware – Allowlisting will block any unapproved executables.
- M1031 Network Intrusion Prevention - Allowlisting prevents unapproved code from executing regardless of how it is introduced.
- M1021 Restrict Web-Based Content – Allowlisting prevents most unapproved executable extensions from running, including the .scr extension. It does not currently block .pif or .cpl files.
Replication Through Removable Media –“Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.”
- M1040 Behavior Prevention on Endpoint – Although ThreatLocker does not enable Attack Surface Reduction (ASR) in Windows, all unapproved executable files such as .exe, .dll, or .scr will be blocked by Allowlisting.
- M1042 Disable or Remove Feature or Program – ThreatLocker Configuration Manager can be used to disable autorun across your environment, regardless of whether the PCs are in your AD domain. Storage Control can be used to disallow or restrict moveable media at an organizational level.
- M1034 Limit Hardware Installation – Storage Control can be used to limit the use of USBs and removable media within your network.
Trusted Relationship – “Adversaries may breach or otherwise leverage organizations who have access to intended victims.”
- M1030 Network Segmentation – For infrastructure components that have the ThreatLocker agent installed, Network Control can be used to block access to those components and only permit just-in-time connections from devices that require access to them.
Execution
Command and Scripting Interpreter – “Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.”
- M1049 Antivirus/Antimalware – While ThreatLocker does not seek to judge files as suspicious or trusted, Allowlisting automatically blocks all software, scripts, or libraries that are not on the allowlist.
- M1040 Behavior Prevention on Endpoint – Although ThreatLocker does not enable Attack Surface Reduction (ASR) in Windows, unpermitted scripts such as .js files that are attempted to be run by CScript or WScript, and .vbs files will be unable to execute.
- M1045 Code Signing – With Allowlisting, all new scripts must be permitted before they can execute. Allowlisting policies can be created to permit scripts based on digital certificates. ThreatLocker recommends that all new scripts be tested before being permitted as a more secure method than creating a policy that will permit all scripts with a certain certificate.
- M1038 Execution Prevention- ThreatLocker Allowlisting blocks unpermitted executables by default.
- M1025 Privileged Account Management – ThreatLocker Allowlisting can be used to restrict the use of PowerShell down to only the specific users that require it.
- M1021 Restrict Web-Based Content – ThreatLocker Allowlisting will automatically block unpermitted scripts. For .hta files, a policy can be set to deny mshta.exe which will stop the execution of .hta files.
Exploitation for Client Execution – “Adversaries may exploit software vulnerabilities in client applications to execute code.”
- M1050 Exploit Protection – ThreatLocker Allowlisting, while it isn’t behavior based, will prevent unapproved executions to help protect against exploits. ThreatLocker Ops can have policies set to monitor for specific IOCs and alert and respond depending on thresholds set by you.
Inter-Process Communication – “Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution.”
- M1040 Behavior Prevention on Endpoint - While ThreatLocker can’t enable ASR, ThreatLocker Ringfencing can prevent Office from communicating with other applications to reduce the risk of a DDE attack or the ability for Office to spawn other processes.
- M1042 Disable or Remove Feature or Program – ThreatLocker Configuration Manager can be used to disable downloaded macros and OLE in Microsoft Office, even if computers are not a member of Active Directory.
Native API - “Adversaries may interact with the native OS application programming interface (API) to execute behaviors.”
- M1040 Behavior Prevention on Endpoint- While ThreatLocker can’t enable ASR rules, Configuration Manager can be used to disable downloaded Office macros, so that no downloaded Office VBA macros can call Win32 APIs.
- M1038 Execution Prevention – all unapproved software is blocked whether malicious or not.
Shared Modules
- M1038 Execution Prevention – While ThreatLocker does not identify potentially malicious software, Allowlisting blocks any unpermitted software by default.
Software Deployment Tools – “Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network.”
- M1030 Network Segmentation – Use ThreatLocker Network Control to protect access to critical network systems to ensure only permitted devices can connect.
- M1029 Remote Data Storage – Use Storage Control and Network Control together to ensure that the system containing trusted signing certificates cannot be accessed by any person/machine other than authorized individuals.
System Services – “Adversaries can execute malicious content by interacting with or creating services either locally or remotely.”
- M1040 Behavior Prevention on Endpoint – ThreatLocker Ringfencing can prevent PsExec from interacting with other applications, so it can’t create other processes.
- M1018 User Account Management - No unauthorized executables can run with Allowlisting, preventing users from running their own launch agents or daemons unless a ThreatLocker administrator approved them.
User Execution – “An adversary may rely upon specific actions by a user in order to gain execution.”
- M1040 Behavior Prevention on Endpoint - No unauthorized executable file can run with Allowlisting. Ringfencing can be applied to Office to prevent it from interacting with other applications as desired.
- M1038 Execution Prevention – Allowlisting creates policies based on hash, so no unauthorized application can execute, even if it is masquerading as an approved application.
- M1021 Restrict Web-Based Content – Regardless of where a file comes from, no unapproved executables such as .scr and .exe files can be run. Please note that at this time, .cpl and .pif files are not included.
Windows Management Instrumentation – “Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads.”
- M1040 Behavior Prevention on Endpoint – Allowlisting will prevent unapproved executables.
- M1038 Execution Prevention – Allowlisting enables you to create a policy to block wmic.exe, and then only permit it for specific users that require it.
- M1026 Privileged Account Management – Prevent credential overlap using Elevation to eliminate local admin accounts and only elevate specific apps/processes that require it, so no local admin credentials are needed.
- M1018 User Account Management- With Allowlisting, only permit WMI to be used by specific users that require it, using interfaces that you specify.
Persistence
Account Manipulation – “Adversaries may manipulate accounts to maintain access to victim systems.”
- M1030 Network Segmentation – Use Network Control to limit access to critical systems and domain controllers.
- M1028 Operating System Configuration – ThreatLocker Network Control can be used to limit access to domain controllers. Create a default deny policy to block all inbound traffic, and then permit access per port, and only to approved devices. Ports only open when a connection from a permitted device is initiated, and only the specified port will open. All other ports will remain closed.
Boot or Logon Autostart Execution – “Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.”
- This technique is not easily mitigated because it is based on the abuse of system features. There are no specific mitigations listed by MITRE. ThreatLocker runs at the kernel level. By default, ThreatLocker blocks bcdedit as well as any script, driver, or application not on the allowlist. ThreatLocker Ops can be set to monitor for specific IOCs as you specify.
Browser Extensions – “Adversaries may abuse Internet browser extensions to establish persistent access to victim systems.”
- M1047 Audit – ThreatLocker Allowlisting blocks browser extensions by default, and only approved extensions can run. Once approved, an unpermitted extension masquerading as an approved extension will be blocked as the extension is learned by hash, and any small change in the extension will change the hash. All extension executions (whether successful or not) will be logged in Unified Audit.
- M1038 Execution Prevention – Allowlisting blocks all extensions by default, and as they are approved, they are automatically added to the allowlist.
- M1033 Limit Software Installation – Allowlisting blocks all executions by default. Any requested extension must first be approved by an admin, giving you the opportunity to verify the requested extension is safe. Use the ThreatLocker Testing Environment to view the browser extension dynamically to ensure it behaves as expected.
Compromise Client Software Binary – “Adversaries may modify client software binaries to establish persistent access to systems.”
- M1045 Code Signing – Allowlisting automatically blocks any new executable from running until it has been vetted and approved so you can check to ensure all component binaries have the correct signature, if desired.
Create Account – “Adversaries may create an account to maintain access to victim systems.”
- M1030 Network Segmentation – Use Network Control to block access to domain controllers. Then permit access based on device, IP address, or object so it can only accept approved connections.
Create or Modify System Process – “Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.”
- M1047 Audit – The Unified Audit provides visibility of user and SYSTEM actions, including any action performed using elevated privileges so that you can review activity.
- M1040 Behavior Prevention on Endpoint – While ThreatLocker does not enable ASR rules, Allowlisting blocks all unapproved drivers by default, regardless of the developing party or how it enters the system.
- M1045 Code Signing – ThreatLocker Allowlisting blocks all unapproved drivers by default.
- M1033 Limit Software Installation – Allowlisting blocks all executables by default, enabling you to control what applications are permitted in the environment.
- M1028 Operating System Configuration – While ThreatLocker can’t enable Driver Signature Enforcement, all unapproved drivers are blocked by default with Allowlisting.
- M1022 Restrict File and Directory Permissions- Storage Control can restrict read/write access to the system-level process files to only specified users that have a business need to manage those services.
Event Triggered Execution – “Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.”
- This is not easily mitigated because it is based on the abuse of system features, and there are no mitigations specified by MITRE. However, ThreatLocker can assist with mitigating event-triggered execution. Allowlisting blocks unapproved software, scripts and dlls, so adversaries will be unable to execute malicious code. ThreatLocker Ops policies can be set to monitor the Windows event log for IOCs you specify such as Registry Key modifications.
External Remote Services – “Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services.”
- M1035 Limit Access to Resource Over Network – Use ThreatLocker Network Control to block all inbound traffic on your remote access gateway, and then permit access to only specified devices.
- M1030 Network Segmentation – Use ThreatLocker Network Control to block all inbound traffic to internal systems. Permit only acceptable connections.
Hijack Execution Flow – “Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.”
- M1038 Execution Prevention – ThreatLocker Allowlisting will block all unapproved libraries and software by default. Unless a library is on the allowlist, it doesn’t matter what software attempts to load it, it will be blocked.
- M1022 Restrict File and Directory Permissions – To protect the save location of software from users, ThreatLocker Storage Control can be set to restrict access to the folders where software is installed to prevent writing or reading and writing.
- M1052 User Account Control – Although ThreatLocker can’t enforce passwords for installations, Allowlisting will prevent any unauthorized software from executing, regardless of which user is attempting it, even if they are a local admin.
Office Application Startup – “Adversaries may leverage Microsoft Office-based applications for persistence between startups.”
- M1040 Behavior Prevention on Endpoint – While ThreatLocker does not enable ASR rules, ThreatLocker Allowlisting prevents unapproved executables from running.
- M1042 Disable or Remove Feature or Program – ThreatLocker Configuration Manager can be used to disable Office macros.
Server Software Component – “Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.”
- M1042 Disable or Remove Feature or Program – ThreatLocker Allowlisting can be used to control the software that is permitted on servers as well as workstations. Create a separate allow list for servers, limiting the software to only what is required. If each server requires separate software, use policies to create a list tailored for each specific server. Allowlisting will automatically block unapproved executables from running until they have been vetted and approved.
Privilege Escalation
Abuse Elevation Control Mechanism – “Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions.”
- M1038 Execution Prevention – ThreatLocker Allowlisting will prevent any unapproved software from running regardless of where it is downloaded from.
- M1026 Privileged Account Management – ThreatLocker Elevation Control enables you to remove local admins and only elevate specific processes that require those privileges.
Access Token Manipulation – “Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.”
- M1018 User Account Management – A bad actor must have admin access on the local system to perform this attack technique. ThreatLocker Elevation enables you to eliminate local admin accounts and only permit elevated processes as necessary to reduce the likelihood that a bad actor can successfully perform this attack.
Create or Modify System Process – “Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.”
- M1040 Behavior Prevention on Endpoint – While ThreatLocker does not enable ASR rules, Allowlisting blocks all unapproved drivers by default, regardless of the developing party or how it enters the system.
- M1045 Code Signing – ThreatLocker Allowlisting will block all unapproved drivers.
- M1033 Limit Software Installation – ThreatLocker Allowlisting will block unapproved software.
- M1022 Restrict File and Directory Permissions- Storage Control can control the ability to read and read/write files and directories to only specified users.
Exploitation for Privilege Escalation – “Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.”
- M1048 Application Isolation and Sandboxing –ThreatLocker Ringfencing can be set to restrict applications from interacting with other applications, powerful Windows tools, the internet, the registry, and your files. This helps to limit the impact in the event an undiscovered or unpatched vulnerability is exploited.
- M1038 Execution Prevention – Allowlisting will block all unapproved drivers, whether vulnerable or not, by default.
- M1050 Exploit Protection –Use Ringfencing to restrict what access approved applications have to mitigate some exploitation behavior.
Hijack Execution Flow – “Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.”
- M1040 Behavior Prevention on Endpoint – ThreatLocker Allowlisting will block unapproved executions. Ringfencing can be used to control what permitted applications can access.
- M1038 Execution Prevention – Allowlisting will block unapproved executions, including unapproved libraries loaded by legitimate software.
- M1022 Restrict File and Directory Permissions – To protect the save location of software from users, ThreatLocker Storage Control can be set to restrict access to the folders where software is installed to prevent writing or reading and writing.
- M1044 Restrict Library Loading – While ThreatLocker cannot enable Safe DLL Search Mode, all unpermitted DLLS are blocked by default when using Allowlisting.
Defense Evasion
Abuse Elevation Control Mechanism – “Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions.”
- M1038 Execution Prevention – ThreatLocker Allowlisting will block all unapproved libraries and software by default regardless of where the software was downloaded from.
Access Token Manipulation – “Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.”
- M1018 User Account Management – A bad actor must have admin access on the local system to perform this attack technique. ThreatLocker Elevation enables you to eliminate local admin accounts and only permit elevated processes as necessary to reduce the likelihood that a bad actor can successfully perform this attack.
Deobfuscate/Decode Files or Information – “Adversaries may use obfuscated files or information to hide artifacts of an intrusion from analysis.”
- This attack technique is not easily mitigated because it is based on the abuse of system features, and MITRE does not identify any mitigations for this. ThreatLocker Allowlisting and Ringfencing combined can help limit the possibility of hidden malware executing regardless of how it enters the system and limit the damage that can be inflicted in the case of a successful exploit.
Exploitation for Defense Evasion – “Adversaries may exploit a system or application vulnerability to bypass security features.”
- M1048 Application Isolation and Sandboxing –ThreatLocker Ringfencing can be set to restrict applications from interacting with other applications, powerful Windows tools, the internet, the registry, and your files. This helps to limit the impact in the event an undiscovered or unpatched vulnerability is exploited.
- M1050 Exploit Protection –Use Ringfencing to restrict what access approved applications have to mitigate some exploitation behavior.
File and Directory Permissions Modification – “Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.”
- M1022 Restrict File and Directory Permissions – ThreatLocker Storage Control can be used to restrict access to files and directories to specific users and/or applications that require that access.
Hijack Execution Flow – “Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.”
- M1038 Execution Prevention – ThreatLocker Allowlisting will block all unapproved libraries by default, even if a permitted application attempts to load an unpermitted DLL.
- M1022 Restrict File and Directory Permissions – To protect the save location of software from users, ThreatLocker Storage Control can be set to restrict access to the folders where software is installed to prevent writing or reading and writing.
- M1044 Restrict Library Loading – While ThreatLocker cannot enable Safe DLL Search Mode, all unpermitted DLLS are blocked by default when using Allowlisting.
Impair Defenses – “Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.”
- M1038 Execution Prevention – ThreatLocker Allowlisting blocks all unapproved software by default, so only approved security applications can be used.
- M1022 Restrict File and Directory Permissions – The ThreatLocker Service cannot be disabled from the endpoint. Only users with access to the ThreatLocker portal can disable the ThreatLocker Service to help prevent adversaries from interfering with it.
Indicator Removal – “Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses.”
- M1022 Restrict File and Directory Permissions – Storage Control can protect the generated event files that are stored locally to ensure no unauthorized access.
Indirect Command Execution - “Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.”
- This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features and MITRE does not list any mitigations. ThreatLocker Allowlisting prevents unapproved scripts, and Ringfencing can prevent permitted applications from communicating with Forfiles, CMD, and PowerShell.
Masquerading – “Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.”
- M1038 Execution Prevention- ThreatLocker Allowlisting prevents unapproved executions based on the hash of the file, so regardless of the name of the app, Allowlisting will be in effect.
Network Boundary Bridging – “Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation.”
- M1037 Filter Network Traffic- Use Network Control to block inbound access to network resources, and then permit based on specified devices to prevent unauthorized devices from gaining access to try and bridge a network boundary.
Obfuscated Files or Information – “Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.”
- M1049 Antivirus/Antimalware – Instead of relying on antivirus or antimalware to detect and quarantine suspicious files, ThreatLocker Allowlisting blocks anything unapproved before it can run.
- M1040 Behavior Prevention on Endpoint – While ThreatLocker does not enable ASR rules, Allowlisting blocks unapproved executables by default to help mitigate the risk of obfuscated payloads being executed.
Process Injection – “Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.”
- M1040 Behavior Prevention on Endpoint – ThreatLocker Allowlisting blocks unapproved executions. ThreatLocker Ringfencing can help prevent applications from interacting with or spawning other applications. By default, the Office built-in policy blocks Office from interacting with PowerShell and CMD to help reduce the risk of Office being used to execute scripts.
Subvert Trust Controls - “Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs.”
- M1038 Execution Prevention – ThreatLocker Allowlisting blocks all unapproved software by default, so only approved applications can be used regardless of where they were downloaded from.
System Binary Proxy Execution – “Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries.”
- M1038 Execution Prevention – ThreatLocker Allowlisting will prevent the execution of binaries that are not on the permitted list, and if a permitted executable binary is tampered with, it will be blocked because its hash will change.
- M1050 Exploit Protection –Use Ringfencing to restrict what access approved applications have to mitigate some exploitation behavior.
System Script Proxy Execution – “Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files.”
- M1038 Execution Prevention – ThreatLocker Allowlisting will prevent the execution of scripts that are not on the permitted list.
Template Injection – “Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.”
- M1049 Antivirus/Antimalware – ThreatLocker Ringfencing can be set to prevent programs that open XML or RTF documents from interacting with the internet to prevent them from fetching malicious code. Allowlisting will prevent malicious code from executing if it somehow makes its way in.
- M1031 Network Intrusion Prevention – Prevent documents from fetching and executing payloads using Ringfencing to prevent applications that open the documents from communicating with the internet.
Trusted Developer Utilities Proxy Execution – “Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads.”
- M1038 Execution Prevention – With ThreatLocker Allowlisting, any developer utilities not permitted will be blocked from running.
XSL Script Processing – “Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files.”
- M1038 Execution Prevention – ThreatLocker Allowlisting enables you to block msxsl.exe if it is not needed in your environment.
Credential Access
Adversary-in-the-Middle – “By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.”
- M1042 Disable or Remove Feature or Program – Use Network Control to block all inbound traffic by default, blocking all ports, and then permit access to only specific ports and only for approved devices.
- M1037 Filter Network Traffic – Use Network Control to block legacy network protocols and control what devices are permitted to access what resources.
- M1030 Network Segmentation – Network Control enables you to control access to infrastructure components that don’t require broad access.
Brute Force – “Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.”
- M1036 Account Use Policies – Use Configuration Manager to set lockout policies after failed login attempts.
- M1027 Password Policies - Use Configuration Manager to set password complexity policies that adhere to NIST guidelines.
Exploitation for Credential Access – “Adversaries may exploit software vulnerabilities in an attempt to collect credentials.”
- M1048 Application Isolation and Sandboxing –ThreatLocker Ringfencing can be set to restrict applications from interacting with other applications, powerful Windows tools, the internet, the registry, and your files. This helps to limit the impact of some types of exploitation.
- M1050 Exploit Protection –Use Ringfencing to restrict what access approved applications have to mitigate some exploitation behavior.
Forced Authentication – “Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.”
- M1027 Password Policies – Use Configuration Manager to set password complexity requirements to make it harder for bad actors to crack.
Unsecured Credentials – “Adversaries may search compromised systems to find and obtain insecurely stored credentials.”
- M1022 Restrict File and Directory Permissions – Use Storage Control to restrict access to shares and specific directories to only permit necessary users.
Discovery
Container and Resource Discovery – “Adversaries may attempt to discover containers and other resources that are available within a containers environment.”
- M1030 Network Segmentation – Use Network Control to deny inbound access to internal systems and then permit only necessary connections.
Network Service Discovery – “Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.”
- M1042 Disable or Remove Feature or Program – Use Network Control to close all ports and only open the ones necessary for approved connections. Even when open, open ports remain invisible to unapproved devices.
- M1030 Network Segmentation – Use Network Control to protect inbound network connections to critical servers and devices.
Lateral Movement
Exploitation of Remote Services – “Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.”
- M1048 Application Isolation and Sandboxing –ThreatLocker Ringfencing can be set to restrict applications from interacting with other applications, powerful Windows tools, the internet, the registry, and your files. This helps to limit the impact of some types of exploitation.
- M1050 Exploit Protection –Use Ringfencing to restrict what access approved applications have to mitigate some exploitation behavior.
- M1030 Network Segmentation – Use Network Control to control access to critical systems and services to only approved connections.
Lateral Tool Transfer – “Adversaries may transfer tools or other files between systems in a compromised environment.”
- M1037 Filter Network Traffic – ThreatLocker Network Control is a host-based firewall. Set Network Control to restrict inbound connections to only permitted protocols, and only from approved sources.
- N1031 Network Intrusion Prevention – Use Network Control to lock down network traffic to prevent unauthorized access to protocols like FTP to prevent lateral transfer of malware.
Remote Service Session Hijacking – “Adversaries may take control of preexisting sessions with remote services to move laterally in an environment.”
- M1042 Disable or Remove Feature or Program – ThreatLocker Network Control can be used to keep all ports closed by default, and then open only specific ports for approved connections.
- M1030 Network Segmentation – Use Network Control to block unnecessary inbound traffic.
Replication Through Removable Media – “Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.”
- M1040 Behavior Prevention on Endpoint – While ThreatLocker can’t enable ASR rules, Allowlisting will block unauthorized executables from running, even from USB devices. ThreatLocker Storage Control provides the ability to block all USBs, and then permit them by serial number.
- M1042 Disable or Remove Feature or Program – Configuration Manager can be used to disable autorun across the organization. Use Storage Control to block USBs and other removable media across the organization.
- M1034 Limit Hardware Installation – Limit use of USB devices and removable media using Storage Control.
Software Deployment Tools – ”Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network.”
- M1030 Network Segmentation – ThreatLocker Network Control can be used to control access to critical network systems.
- M1026 Privileged Account Management – Allowlisting prevents any unauthorized software. Even a local admin will be unable run unapproved software. To run a new software, an administrator on your ThreatLocker account will need to permit it through the ThreatLocker portal. Only give specific administrators to access the ThreatLocker portal.
Taint Shared Content – “Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories.”
- M1038 Execution Prevention – Allowlisting will only permit approved software, so untrusted or unknown programs will be blocked by default.
- M1050 Exploit Protection –Use Ringfencing to restrict what access approved applications have in order to mitigate some exploitation behavior.
- M1022 Restrict File and Directory Permissions – Storage Control can be configured to protect write access to shared folders.
Use Alternate Authentication Material – “Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.”
- M1018 User Account Management – ThreatLocker Elevation enables you to eliminate local admin accounts and only permit elevated processes as necessary to limit the access a bad actor would have in the event this type of attack was successful.
Collection
Adversary-in-the-Middle – “By abusing features of common networking protocols that can determine the flow of network traffic (e.g., ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.”
- M1042 Disable or Remove Feature or Program – Use Network Control to block all inbound traffic by default, blocking all ports, and then permit access to only specific ports and only for approved devices.
- M1037 Filter Network Traffic – Use Network Control to block legacy network protocols and control what devices are permitted to access what resources.
- M1030 Network Segmentation – Network Control enables you to control access to infrastructure components that don’t require broad access.
- M1035 Limit Access to Resource Over Network – Use Network Control to limit access to network infrastructure and resources.
Data from Configuration Repository – “Adversaries may collect data related to managed devices from configuration repositories.”
- M1037 Filter Network Traffic – Use Network Control to block unauthorized connections and permit only approved access by approved devices.
Data from Information Repositories – “Adversaries may leverage information repositories to mine valuable information.”
- M1018 User Account Management- Use the least-privilege principle using Elevation. Eliminate local admin accounts, and instead only elevate specific processes that require it.
Data From Local System – “Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.”
- M1057 Data Loss Prevention - Use Storage Control to lock down access to data locations and only permit needed access.
Data From Network Shared Drive – “Adversaries may search network shares on computers they have compromised to find files of interest.”
- MITRE does not have any mitigations listed because this attack technique is based on the abuse of system features. Use ThreatLocker Storage Control to permit access to shared drives only to specified users or applications that require access.
Data from Removable Media – “Adversaries may search connected removable media on computers they have compromised to find files of interest.”
- M1057 Data Loss Prevention - Use Storage Control to lock down access to data locations and only permit needed access.
Command and Control
Communication Through Removable Media – “Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.”
- M1042 Disable or Remove Feature or Program – Configuration manager can be used to disable autorun.
- M1028 Operating System Configuration – Using Storage Control, disable removable media at an organization level.
Remote Access Software – “An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.”
- M1038 Execution Prevention – Allowlisting prevents unapproved software, including remote access software.
Exfiltration
Exfiltration Over Physical Medium – “Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive.”
- M1034 Limit Hardware Installation –ThreatLocker Storage Control can be used to limit the use of USBs and removable media across the organization.
- M1042 Disable or Remove Feature or Program – ThreatLocker Configuration Manager can be used to disable Autorun. Storage Control can be used to restrict removable media at the organization level.
Impact
Data Encrypted for Impact – “Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.”
- M1040 Behavior Prevention on Endpoint – Although ThreatLocker can’t enable ASR rules, Allowlisting will block the execution of unauthorized software, whether it is ransomware or a safe application that isn’t permitted in your environment.
Data Manipulation – “Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.”
- M1030 Network Segmentation – Use Network Control to control access to critical systems and services to only approved connections.
- M1022 Restrict File and Directory Permissions – Storage Control can be configured to protect access to data storage locations to reduce risk.