Security Controls

Alter security controls to make the system more or less vulnerable to attack.

Manipulating security controls involves making configuration changes to the security settings of a system including things like modifying Group Policies, disabling/enabling autorun for removable media, and tightening or relaxing system firewalls, etc.

Details
ID: DTE0032
Tactics:  Disrupt Facilitate Channel Test Contain Collect

Opportunities

IDDescription
DOS0001 There is an opportunity to study the adversary and collect first-hand observations about them and their tools.
DOS0016 There is an opportunity to use security controls to stop or allow an adversary's activity.
DOS0024 There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment.
DOS0029 There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs.
DOS0087 In an adversary engagement scenario, there is an opportunity to test whether an adversary has the capability to steal or forge Kerberos tickets.
DOS0137 There is an opportunity to implement security controls which will prevent an adversary from using Windows Management Instrumentation (WMI), in order to entice them to reveal new TTPs.
DOS0140 There is an opportunity to use security controls on systems in order to affect the success of an adversary.
DOS0146 In an adversary engagement scenario, there is an opportunity to implement security controls to support your defensive objectives over a prolonged engagement.
DOS0148 In an adversary engagement scenario, there is an opportunity to implement security controls to allow an adversary to accomplish a task and extend an engagement.

Use Cases

IDDescription
DUC0012 A defender can disable Autorun to prevent malware from automatically executing when removeable media is plugged into a system.
DUC0045 A defender can enforce strong authentication requirements such as password changes, two factor authentication, etc. to impact or disrupt an adversary's activity.
DUC0048 A defender can block execution of untrusted software.
DUC0049 A defender can choose to harden or weaken security controls on a system to affect an adversaries ability to modify or create system processes.
DUC0066 In an adversary engagement scenario, a defender can implement weak security controls that an adversary could subvert in order to further their attack.
DUC0088 A defender can secure Kerberos in order to prevent an adversary from leveraging the tickets to authenticate or move laterally. This may result in the adversary exposing additional TTPs.
DUC0092 A defender can harden authentication mechanisms to ensure having just a session cookie is not enough to authenticate with another system.
DUC0094 In an adversary engagement operation, a defender can intentionally increase the time window that a token is valid to see if the adversary is able to acquire and leverage the token.
DUC0127 A defender can configure systems to block any system with a number of authentication failures in a certain window of time.
DUC0138 A defender can harden accounts which have admin access and also restrict any users from being able to connect remotely using WMI.
DUC0140 A defender could use host-based tool to detect common persistence mechanisms and prevent the process from executing successfully.
DUC0142 A defender could use a host-based tool in order to have an effect on the success of an adversary abusing elevation control mechanisms.
DUC0143 A defender can use Trusted Platform Module technology and a secure boot process to prevent system integrity from being compromised.
DUC0144 A defender could implement security controls to have an effect on process injection techniques such as AppLocker or an Antivirus/EDR tool designed to watch for CreateRemoteThread events.
DUC0146 A defender could implement security controls to force an adversary to modify the authentication process if they want to collect or utilize credentials on a system.
DUC0179 A defender can prevent an adversary from enabling Wi-Fi or Bluetooth interfaces which could be connected to surrounding access points or devices and used for exfiltration.
DUC0197 In an adversary engagement scenario, a defender could ensure security controls allow untrusted code to execute on a system.

Procedures

IDDescription
DPR0055 Weaken security controls on a system to allow for leaking of credentials via network connection poisoning.
DPR0056 Implement policies on a system to prevent the insecure storage of passwords in the registry. This may force an adversary to revert these changes or find another way to access cached credentials.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1011 Exfiltration Over Other Network Medium Exfiltration
T1014 Rootkit Defense Evasion
T1047 Windows Management Instrumentation Execution
T1055 Process Injection Defense EvasionPrivilege Escalation
T1091 Replication Through Removable Media Lateral MovementInitial Access
T1098 Account Manipulation Persistence
T1111 Two-Factor Authentication Interception Credential Access
T1197 BITS Jobs Defense EvasionPersistence
T1499 Endpoint Denial of Service Impact
T1539 Steal Web Session Cookie Credential Access
T1542 Pre-OS Boot Defense EvasionPersistence
T1543 Create or Modify System Process PersistencePrivilege Escalation
T1548 Abuse Elevation Control Mechanism Privilege EscalationDefense Evasion
T1553 Subvert Trust Controls Defense Evasion
T1556 Modify Authentication Process Credential AccessDefense Evasion
T1558 Steal or Forge Kerberos Tickets Credential Access
T1574 Hijack Execution Flow PersistencePrivilege EscalationDefense Evasion
T1599 Network Boundary Bridging Defense Evasion
T1600 Weaken Encryption Defense Evasion
T1601 Modify System Image Defense Evasion