MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.


Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.

Identify elements of software and configuration critical to a set of objectives, define their proper values, and be prepared to reset a running system to its intended state.

ID: DTE0006
Tactics:  Disrupt Contain Detect


DOS0015 There is an opportunity to use tools and controls to stop an adversary's activity.
DOS0051 There is an opportunity to utilize confirmed good copies of login scripts and restoring on a frequent basis to prevent an adversary from using them to launch malware on a recurring basis.
DOS0069 There is an opportunity to utilize known good copies of registry information and restore it if an adversary makes any changes.

Use Cases

DUC0046 A defender can force the removal of browser extensions that are not allowed by a corporate policy.
DUC0050 A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup.
DUC0051 A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms.
DUC0069 A defender can enable Registry Auditing on specific keys to produce an alerts whenever a value is changed and revert those keys to baseline.


DPR0011 Maintain a verified baseline firewall configuration and use that copy as a fallback if an adversary alters that information.
DPR0012 Maintain a verified list of group policies enforced on a system and use that copy if an adversary attempts to deviate from the baseline.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1037 Boot or Logon Initialization Scripts PersistencePrivilege Escalation
T1112 Modify Registry Defense Evasion
T1176 Browser Extensions Persistence
T1546 Event Triggered Execution Privilege EscalationPersistence
T1547 Boot or Logon Autostart Execution PersistencePrivilege Escalation
T1601 Modify System Image Defense Evasion