{"description": "Enterprise techniques mitigated by Operating System Configuration, ATT&CK mitigation M1028 (v1.3)", "name": "Operating System Configuration (M1028)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "comment": "Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system. Ensuring that the sudo tty_tickets setting is enabled will prevent this leakage across tty sessions.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1548.001", "comment": "Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1548.003", "comment": "Ensuring that the tty_tickets setting is enabled will prevent this leakage across tty sessions.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "comment": "Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. (Citation: UCF STIG Elevation Account Enumeration)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at HKLM\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation.(Citation: UCF STIG Elevation Account Enumeration)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at HKLM\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: Enumerate administrator accounts on elevation.(Citation: UCF STIG Elevation Account Enumeration)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098", "comment": "Protect domain controllers by ensuring proper security configuration for critical servers to limit access by potentially unnecessary protocols and services, such as SMB file sharing.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1197", "comment": "\nConsider reducing the default BITS job lifetime in Group Policy or by editing the JobInactivityTimeout and MaxDownloadTime Registry values in  HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\BITS.(Citation: Microsoft BITS)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1092", "comment": "Disallow or restrict removable media at an organizational policy level if they are not required for business operations.(Citation: TechNet Removable Media Control)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1136", "comment": "Protect domain controllers by ensuring proper security configuration for critical servers.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136.002", "comment": "Protect domain controllers by ensuring proper security configuration for critical servers.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "comment": "Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed. ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.008", "comment": "To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later.(Citation: TechNet RDP NLA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1011", "comment": "Prevent the creation of new network adapters where possible.(Citation: Microsoft GPO Bluetooth FEB 2009)(Citation: TechRepublic Wireless GPO FEB 2009)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1011.001", "comment": "Prevent the creation of new network adapters where possible.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.002", "comment": "If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the /Library/Preferences/com.apple.loginwindow Hide500Users value will force all users to be visible.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.006", "comment": "When System Integrity Protection (SIP) is enabled in macOS, the aforementioned environment variables are ignored when executing protected binaries. Third-party applications can also leverage Apple\u2019s Hardened Runtime, ensuring these environment variables are subject to imposed restrictions.(Citation: Apple Developer Doco Hardened Runtime) Admins can add restrictions to applications by setting the setuid and/or setgid bits, use entitlements, or have a __RESTRICT segment in the Mach-O binary.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. Additionally, ensure that WinRE is enabled using the following command: reagentc /enable.(Citation: reagentc_cmd)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.007", "comment": "Disable the default to \u201chide file extensions for known file types\u201d in Windows OS.(Citation: Seqrite DoubleExtension)(Citation: HowToGeek ShowExtension)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556", "comment": "Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (`C:\\Windows\\System32\\` by default) of a domain controller and/or local computer with a corresponding entry in `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages`. \n\nStarting in Windows 11 22H2, the `EnableMPRNotifications` policy can be disabled through Group Policy or through a configuration service provider to prevent Winlogon from sending credentials to network providers.(Citation: EnableMPRNotifications)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1556.002", "comment": "Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\\Windows\\System32\\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.008", "comment": "Starting in Windows 11 22H2, the `EnableMPRNotifications` policy can be disabled through Group Policy or through a configuration service provider to prevent Winlogon from sending credentials to network providers.(Citation: EnableMPRNotifications)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1135", "comment": "Enable Windows Group Policy \u201cDo Not Allow Anonymous Enumeration of SAM Accounts and Shares\u201d security setting to limit users who can enumerate network shares.(Citation: Windows Anonymous Enumeration of SAM Accounts)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "comment": "\nConsider disabling or restricting NTLM.(Citation: Microsoft Disable NTLM Nov 2012) Consider disabling WDigest authentication.(Citation: Microsoft WDigest Mit)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "Consider disabling or restricting NTLM.(Citation: Microsoft Disable NTLM Nov 2012) Consider disabling WDigest authentication.(Citation: Microsoft WDigest Mit)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "Consider disabling or restricting NTLM.(Citation: Microsoft Disable NTLM Nov 2012)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.005", "comment": "Consider limiting the number of cached credentials (HKLM\\SOFTWARE\\Microsoft\\Windows NT\\Current Version\\Winlogon\\cachedlogonscountvalue)(Citation: Tilbury Windows Credentials)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542", "showSubtechniques": true}, {"techniqueID": "T1542.005", "comment": "Follow vendor device hardening best practices to disable unnecessary and unused features and services, avoid using default configurations and passwords, and introduce logging and auditing for detection.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1690", "comment": "Make sure that the HISTCONTROL environment variable is set to \u201cignoredups\u201d instead of \u201cignoreboth\u201d or \u201cignorespace\u201d.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1563", "showSubtechniques": true}, {"techniqueID": "T1563.002", "comment": "Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.(Citation: Windows RDP Sessions)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.(Citation: Windows RDP Sessions)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "comment": "Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. (Citation: TechNet Server Operator Scheduled Task)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1053.002", "comment": "Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. (Citation: TechNet Server Operator Scheduled Task) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. (Citation: TechNet Server Operator Scheduled Task)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "comment": "Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. (Citation: SpectorOps Code Signing Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553.004", "comment": "Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. (Citation: SpectorOps Code Signing Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "comment": "There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:\nset +o history and set -o history to start logging again;\nunset HISTFILE being added to a user's .bash_rc file; and\nln -s /dev/null ~/.bash_history to write commands to /dev/nullinstead.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.003", "comment": "There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:\nset +o history and set -o history to start logging again;\nunset HISTFILE being added to a user's .bash_rc file; and\nln -s /dev/null ~/.bash_history to write commands to /dev/null instead.\n\nIn Zsh, `fc -p` can be used to create a private history session. However, previous history will be unavailable to the user until the session ends. Using `unset HISTFILE` and writing commands to `/dev/null` can also be used, similarly to Bash.\n\nIn PowerShell, users can utilize `Set-PSReadLineOption` to modify how commands are saved into history. Setting `-HistorySaveStyle SaveNothing` prevents command history from being saved onto the file. Note that setting it from `SaveNothing` to `SaveIncrementally` in the same session will cause all commands from that session to be saved. Alternatively, `-AddToHistoryHandler` can be used to filter certain commands from being saved into the history file.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Operating System Configuration", "color": "#66b1ff"}]}