{"description": "Enterprise techniques mitigated by Execution Prevention, ATT&CK mitigation M1038 (v1.3)", "name": "Execution Prevention (M1038)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "comment": "System settings can prevent applications from running that haven't been downloaded from legitimate repositories which may help mitigate some of these issues. Not allowing unsigned applications from being run may also mitigate some risk.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1548.004", "comment": "System settings can prevent applications from running that haven't been downloaded through the Apple Store which may help mitigate some of these issues. Not allowing unsigned applications from being run may also mitigate some risk.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.004", "comment": "Identify and block potentially malicious software that may be executed through the Winlogon helper process by using application control (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.006", "comment": "Application control and software restriction tools, such as SELinux, KSPP, grsecurity MODHARDEN, and Linux kernel tuning can aid in restricting kernel module loading.(Citation: Kernel.org Restrict Kernel Module)(Citation: Wikibooks Grsecurity)(Citation: Kernel Self Protection Project)(Citation: Increasing Linux kernel integrity)(Citation: LKM loading kernel restrictions)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "Prevents malicious shortcuts or LNK files from executing unwanted code by ensuring only authorized applications and scripts are allowed to run.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "comment": "Use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).(Citation: Microsoft PowerShell CLM)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).(Citation: Microsoft PowerShell CLM)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.002", "comment": "Use application control where appropriate.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "Use application control where appropriate.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "Use application control where appropriate. On ESXi hosts, the `execInstalledOnly` feature prevents binaries from being run unless they have been packaged and signed as part of a vSphere installation bundle (VIB).(Citation: Google Cloud Threat Intelligence ESXi Hardening 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "Use application control where appropriate. VBA macros obtained from the Internet, based on the file's Mark of the Web (MOTW) attribute, may be blocked from executing in Office applications (ex: Access, Excel, PowerPoint, Visio, and Word) by default starting in Windows Version 2203.(Citation: Default VBS macros Blocking )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "Denylist Python where not required.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "Denylist scripting where appropriate.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.008", "comment": "TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization. (Citation: Cisco IOS Software Integrity Assurance - TACACS)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.009", "comment": "Use application control where appropriate to block use of PowerShell CmdLets or other host based resources to access cloud API resources.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.010", "comment": "Use application control to prevent execution of `AutoIt3.exe`, `AutoHotkey.exe`, and other related features that may not be required for a given system or network to prevent potential misuse by adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.011", "comment": "Denylist Lua interpreters where appropriate.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.013", "comment": "Deny scripting where appropriate. Tools such as Python or Go can utilize Kubernetes and Docker within a client library and execute commands within their application.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1609", "comment": "Use read-only containers, read-only file systems, and minimal images when possible to prevent the execution of commands.(Citation: Kubernetes Hardening Guide) Where possible, also consider using application control and software restriction tools (such as those provided by SELinux) to restrict access to files, processes, and system calls in containers.(Citation: Kubernetes Security Context)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685.003", "comment": "Use application controls to mitigate installation and use of payloads that may be utilized to spoof security alerting.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1611", "comment": "Use read-only containers, read-only file systems, and minimal images when possible to prevent the running of commands.(Citation: Kubernetes Hardening Guide) Where possible, also consider using application control and software restriction tools (such as those provided by SELinux) to restrict access to files, processes, and system calls in containers.(Citation: Kubernetes Security Context)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.002", "comment": "Block .scr files from being executed from non-standard locations.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546.006", "comment": "Allow applications via known hashes.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546.008", "comment": "Adversaries can replace accessibility features binaries with alternate binaries to execute this technique. Identify and block potentially malicious software executed through accessibility features functionality by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546.009", "comment": "Adversaries install new AppCertDLL binaries to execute this technique. Identify and block potentially malicious software executed through AppCertDLLs functionality by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546.010", "comment": "Adversaries can install new AppInit DLLs binaries to execute this technique. Identify and block potentially malicious software executed through AppInit DLLs functionality by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1068", "comment": "Consider blocking the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode. Validate driver block rules in audit mode to ensure stability prior to production deployment.(Citation: Microsoft Driver Block Rules)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "Limit or restrict program execution using anti-virus software. On MacOS, allowlist programs that are allowed to have the plist tag. All other programs should be considered suspicious.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.006", "comment": "Use application control to mitigate installation and use of unapproved virtualization software.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "comment": "Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "Identify and block potentially malicious software executed through DLL hijacking by using application control solutions capable of blocking DLLs loaded by legitimate software.(Citation: Microsoft AppLocker DLL)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.006", "comment": "Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.007", "comment": "Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.008", "comment": "Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.009", "comment": "Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.012", "comment": "Identify and block potentially malicious unmanaged COR_PROFILER profiling DLLs  by using application control solutions like AppLocker that are capable of auditing and/or blocking unapproved DLLs.(Citation: Beechey 2010)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "Consider using application control configured to block execution of utilities such as `diskshadow.exe` that may not be required for a given system or network to prevent potential misuse by adversaries. ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1674", "comment": "Denylist scripting and use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).(Citation: Microsoft PowerShell CLM)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "Ensure that input sanitization is performed and that files are validated properly before execution; furthermore, implement a strict allow list to ensure that only authorized file types are processed.(Citation: file_upload_attacks_pt2) Restrict and/or block execution of files where headers and extensions do not match. \n\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "Identify and block potentially malicious software executed that may be executed through this technique by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1219", "comment": "Use application control to mitigate installation and use of unapproved software that can be used for remote access.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1219.001", "comment": "Use Group Policies to require user authentication by disabling anonymous tunnel access, preventing any unauthenticated tunnel creation or usage. Disable the Visual Studio Dev Tunnels feature to block tunnel-related commands, allowing only minimal exceptions for utility functions (unset, echo, ping, and user). Restrict tunnel access to approved Microsoft Entra tenant IDs by specifying allowed tenants; all other users are denied access by default.(Citation: Microsoft Dev Tunnels Group Policy Mitigation)(Citation: Microsoft Dev Tunnels Group Policies)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1219.002", "comment": "Use application control to mitigate installation and use of unapproved software that can be used for remote access.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.004", "comment": "Restrict unallowed ISAPI extensions and filters from running by specifying a list of ISAPI extensions and filters that can run on IIS.(Citation: Microsoft ISAPICGIRestriction 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1129", "comment": "Identify and block potentially malicious software executed through this technique by using application control tools capable of preventing unknown modules from being loaded.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1176", "comment": "Set an extension allow or deny list as appropriate for your security policy. ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1176.001", "comment": "Set a browser extension allow or deny list as appropriate for your security policy.(Citation: Technospot Chrome Extensions GP)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1176.002", "comment": "Set an IDE extension allow or deny list as appropriate for your security policy.  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "comment": "System settings can prevent applications from running that haven't been downloaded through the Apple Store (or other legitimate repositories) which can help mitigate some of these issues. Also enable application control solutions such as AppLocker and/or Device Guard to block the loading of malicious content.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1553.001", "comment": "System settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553.003", "comment": "Enable application control solutions such as AppLocker and/or Device Guard to block the loading of malicious SIP DLLs.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553.005", "comment": "Consider blocking container file types at web and/or email gateways. Consider unregistering container file extensions in Windows File Explorer.(Citation: Dormann Dangers of VHD 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "comment": "Consider using application control to prevent execution of binaries that are susceptible to abuse and not required for a given system or network.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1218.001", "comment": "Consider using application control to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.002", "comment": "Identify and block potentially malicious and unknown .cpl files by using application control (Citation: Beechey 2010) tools, like Windows Defender Application Control(Citation: Microsoft Windows Defender Application Control), AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.003", "comment": "Consider using application control configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.004", "comment": "Use application control configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.005", "comment": "Use application control configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the mshta.exe application and to prevent abuse.(Citation: Microsoft WDAC)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.008", "comment": "Use application control configured to block execution of Odbcconf.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.009", "comment": "Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.012", "comment": "Use application control configured to block execution of verclsid.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.013", "comment": "Use application control configured to block execution of mavinject.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.014", "comment": "Use application control configured to block execution of MMC if it is not required for a given system or network to prevent potential misuse by adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.015", "comment": "Where possible, enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. For example, do not use `shell.openExternal` with untrusted content.\n\nWhere possible, set `nodeIntegration` to false, which disables access to the Node.js function.(Citation: Electron Security 3) By disabling access to the Node.js function, this may limit the ability to execute malicious commands by injecting JavaScript code.\n\nDo not disable `webSecurity`, which may allow for users of the application to invoke malicious content from online sources.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1216", "comment": "Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1216.001", "comment": "Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1216.002", "comment": "Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1080", "comment": "Identify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using application control (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1127", "comment": "Certain developer utilities should be blocked or restricted if not required.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1127.001", "comment": "Use application control configured to block execution of msbuild.exe if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the msbuild.exe application and to prevent abuse.(Citation: Microsoft WDAC)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1127.003", "comment": "Consider blocking or restricting JamPlus if not required.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "comment": "Application control may be able to prevent the running of executables masquerading as other files.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "Application control may be able to prevent the running of executables masquerading as other files.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.004", "comment": "Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).(Citation: Microsoft PowerShell CLM)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "Use application control configured to block execution of wmic.exe if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the wmic.exe application and to prevent abuse.(Citation: Microsoft WDAC)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1220", "comment": "If msxsl.exe is unnecessary, then block its execution to prevent abuse by adversaries.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Execution Prevention", "color": "#66b1ff"}]}