Identify key system elements to establish a baseline and be prepared to reset a system to that baseline when necessary.
Identify elements of software and configuration critical to a set of objectives, define their proper values, and be prepared to reset a running system to its intended state.
|DOS0015||There is an opportunity to use tools and controls to stop an adversary's activity.|
|DOS0051||There is an opportunity to utilize confirmed good copies of login scripts and restoring on a frequent basis to prevent an adversary from using them to launch malware on a recurring basis.|
|DOS0069||There is an opportunity to utilize known good copies of registry information and restore it if an adversary makes any changes.|
|DUC0046||A defender can force the removal of browser extensions that are not allowed by a corporate policy.|
|DUC0050||A defender can store good copies of registry startup keys and restore them on a frequent basis. This can prevent an adversary from using them to launch malware on system startup.|
|DUC0051||A defender can revert a system to a verified baseline a frequent, recurring basis in order to remove adversary persistence mechanisms.|
|DUC0069||A defender can enable Registry Auditing on specific keys to produce an alerts whenever a value is changed and revert those keys to baseline.|
|DPR0011||Maintain a verified baseline firewall configuration and use that copy as a fallback if an adversary alters that information.|
|DPR0012||Maintain a verified list of group policies enforced on a system and use that copy if an adversary attempts to deviate from the baseline.|
|T1037||Boot or Logon Initialization Scripts||Persistence, Privilege Escalation|
|T1112||Modify Registry||Defense Evasion|
|T1546||Event Triggered Execution||Privilege Escalation, Persistence|
|T1547||Boot or Logon Autostart Execution||Persistence, Privilege Escalation|
|T1601||Modify System Image||Defense Evasion|