MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Baseline
Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Identify elements of software and configuration critical to a set of objectives, define their proper values, and be prepared to reset a running system to its intended state.
Opportunities
| ID | Description |
|---|---|
| DOS0015 | There is an opportunity to use tools and controls to stop an adversary's activity. |
| DOS0051 | There is an opportunity to utilize confirmed good copies of login scripts and restoring on a frequent basis to prevent an adversary from using them to launch malware on a recurring basis. |
| DOS0069 | There is an opportunity to utilize known good copies of registry information and restore it if an adversary makes any changes. |
Use Cases
| ID | Description |
|---|---|
| DUC0046 | A defender can force the removal of browser extensions that are not allowed by a corporate policy. |
| DUC0050 | A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup. |
| DUC0051 | A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms. |
| DUC0069 | A defender can enable Registry Auditing on specific keys to produce an alerts whenever a value is changed and revert those keys to baseline. |
Procedures
| ID | Description |
|---|---|
| DPR0011 | Maintain a verified baseline firewall configuration and use that copy as a fallback if an adversary alters that information. |
| DPR0012 | Maintain a verified list of group policies enforced on a system and use that copy if an adversary attempts to deviate from the baseline. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1037 | Boot or Logon Initialization Scripts | Persistence, Privilege Escalation |
| T1112 | Modify Registry | Defense Evasion |
| T1176 | Browser Extensions | Persistence |
| T1546 | Event Triggered Execution | Privilege Escalation, Persistence |
| T1547 | Boot or Logon Autostart Execution | Persistence, Privilege Escalation |
| T1601 | Modify System Image | Defense Evasion |