MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Security Controls
Alter security controls to make the system more or less vulnerable to attack.
Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc.
Opportunities
| ID | Description |
|---|---|
| DOS0001 | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. |
| DOS0016 | There is an opportunity to use security controls to stop or allow an adversary's activity. |
| DOS0024 | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. |
| DOS0029 | There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs. |
| DOS0087 | In an adversary engagement scenario, there is an opportunity to test whether an adversary has the capability to steal or forge Kerberos tickets. |
| DOS0137 | There is an opportunity to implement security controls which will prevent an adversary from using Windows Management Instrumentation (WMI), in order to entice them to reveal new TTPs. |
| DOS0140 | There is an opportunity to use security controls on systems in order to affect the success of an adversary. |
| DOS0146 | In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement. |
| DOS0148 | In an adversary engagement scenario, there is an opportunity to implement security controls to allow an adversary to accomplish a task and extend an engagement. |
Use Cases
| ID | Description |
|---|---|
| DUC0012 | A defender can disable Autorun to prevent malware from automatically executing when removeable media is plugged into a system. |
| DUC0045 | A defender can enforce strong authentication requirements such as password changes, two factor authentication, etc. to impact or disrupt an adversary's activity. |
| DUC0048 | A defender can block execution of untrusted software. |
| DUC0049 | A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes. |
| DUC0066 | In an adversary engagement scenario, a defender can implement weak security controls that an adversary could subvert in order to further their attack. |
| DUC0088 | A defender can secure Kerberos in order to prevent an adversary from leveraging the tickets to authenticate or move laterally. This may result in the adversary exposing additional TTPs. |
| DUC0092 | A defender can harden authentication mechanisms to ensure having just a session cookie is not enough to authenticate with another system. |
| DUC0094 | In an adversary engagement operation, a defender can intentionally increase the time window that a token is valid to see if the adversary is able to acquire and leverage the token. |
| DUC0127 | A defender can configure systems to block any system with a number of authentication failures in a certain window of time. |
| DUC0138 | A defender can harden accounts which have admin access and also restrict any users from being able to connect remotely using WMI. |
| DUC0140 | A defender could use host-based tool to detect common persistence mechanisms and prevent the process from executing successfully. |
| DUC0142 | A defender could use a host-based tool in order to have an effect on the success of an adversary abusing elevation control mechanisms. |
| DUC0143 | A defender can use Trusted Platform Module technology and a secure boot process to prevent system integrity from being compromised. |
| DUC0144 | A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events. |
| DUC0146 | A defender could implement security controls to force an adversary to modify the authentication process if they want to collect or utilize credentials on a system. |
| DUC0179 | A defender can prevent an adversary from enabling Wi-Fi or Bluetooth interfaces which could be connected to surrounding access points or devices and used for exfiltration. |
| DUC0197 | In an adversary engagement scenario, a defender could ensure security controls allow untrusted code to execute on a system. |
Procedures
| ID | Description |
|---|---|
| DPR0055 | Weaken security controls on a system to allow for leaking of credentials via network connection poisoning. |
| DPR0056 | Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1011 | Exfiltration Over Other Network Medium | Exfiltration |
| T1014 | Rootkit | Defense Evasion |
| T1047 | Windows Management Instrumentation | Execution |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1091 | Replication Through Removable Media | Lateral Movement, Initial Access |
| T1098 | Account Manipulation | Persistence |
| T1111 | Two-Factor Authentication Interception | Credential Access |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1499 | Endpoint Denial of Service | Impact |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1548 | Abuse Elevation Control Mechanism | Privilege Escalation, Defense Evasion |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1574 | Hijack Execution Flow | Persistence, Privilege Escalation, Defense Evasion |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1600 | Weaken Encryption | Defense Evasion |
| T1601 | Modify System Image | Defense Evasion |