{"description": "Enterprise techniques mitigated by Disable or Remove Feature or Program, ATT&CK mitigation M1042 (v1.2)", "name": "Disable or Remove Feature or Program (M1042)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1098", "comment": "Remove unnecessary and potentially abusable authentication and authorization mechanisms where possible.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098.001", "comment": "Remove unnecessary and potentially abusable authentication mechanisms where possible. For example, in Entra ID environments, disable the app password feature unless explicitly required. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098.002", "comment": "If email delegation is not required, disable it. In Google Workspace this can be accomplished through the Google Admin console.(Citation: Gmail Delegation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098.004", "comment": "Disable SSH if it is not necessary on a host or restrict SSH access for specific users/groups using /etc/ssh/sshd_config. Setting the `PermitRootLogin` directive to `no` will prevent the root user from logging in via SSH.(Citation: Broadcom ESXi SSH)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1595", "showSubtechniques": true}, {"techniqueID": "T1595.003", "comment": "Remove or disable access to any systems, resources, and infrastructure that are not explicitly required to be available externally.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1557", "comment": "Disable legacy network protocols that may be used   to intercept network traffic if applicable, especially those that are not needed within an environment.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1557.001", "comment": "Disable LLMNR, mDNS, and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. (Citation: ADSecurity Windows Secure Baseline)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1557.002", "comment": "Consider disabling updating the ARP cache on gratuitous ARP replies.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.007", "comment": "This feature can be disabled entirely with the following terminal command: defaults write -g ApplePersistence -bool no.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1671", "comment": "Do not allow users to add new application integrations into a SaaS environment. In Entra ID environments, consider enforcing the \u201cDo not allow user consent\u201d option.(Citation: Microsoft Entra Configure OAuth Consent)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "comment": "Disable or remove any unnecessary or unused shells or interpreters.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions.\n\nDisable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "Turn off or restrict access to unneeded VB components.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "Turn off or restrict access to unneeded scripting components.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1092", "comment": "Disable Autoruns if it is unnecessary.(Citation: Microsoft Disable Autorun)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1609", "comment": "Remove unnecessary tools and software from containers.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.004", "comment": "Consider enabling the \u201cNetwork access: Do not allow storage of passwords and credentials for network authentication\u201d setting that will prevent network credentials from being stored by the Credential Manager.(Citation: Microsoft Network access Credential Manager)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685", "comment": "Consider removing previous versions of tools that are unnecessary to the environment when possible.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1689", "comment": "Consider removing previous versions of tools that are unnecessary to the environment when possible.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.003", "comment": "Consider disabling external email forwarding.(Citation: Microsoft BEC Campaign)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1611", "comment": "Remove unnecessary tools and software from containers.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.002", "comment": "Use Group Policy to disable screensavers if they are unnecessary.(Citation: TechNet Screensaver GP)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546.014", "comment": "Consider disabling emond by removing the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) plist file.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1011", "comment": "Disable WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel in local computer security settings or by group policy if it is not needed within an environment.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1011.001", "comment": "Disable Bluetooth in local computer security settings or by group policy if it is not needed within an environment.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1052", "comment": "Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1052.001", "comment": "Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1210", "comment": "Minimize available services to only those that are necessary.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "Disable or block remotely available services that may be unnecessary.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.006", "comment": "Disable native virtualization technologies such as Hyper-V if not necessary within a given environment. Consider also disabling Windows Sandbox if it is not needed to test or debug applications.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.007", "comment": "Turn off or restrict access to unneeded VB components.(Citation: Microsoft Disable VBA Jan 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "comment": "Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. (Citation: Microsoft DDE Advisory Nov 2017)(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: GitHub Disable DDEAUTO Oct 2017) Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.(Citation: Microsoft ADV170021 Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. (Citation: Microsoft DDE Advisory Nov 2017)(Citation: BleepingComputer DDE Disabled in Word Dec 2017)(Citation: GitHub Disable DDEAUTO Oct 2017) Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel.(Citation: Microsoft ADV170021 Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1046", "comment": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1137", "comment": "Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing.\n\nDisable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. (Citation: MRWLabs Office Persistence Add-ins)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137.001", "comment": "Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing.\n\nDisable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. (Citation: MRWLabs Office Persistence Add-ins)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1219", "comment": "Consider disabling unnecessary remote connection functionality, including both unapproved software installations and specific features built into supported applications.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1219.002", "comment": "Consider disabling unnecessary remote connection functionality, including both unapproved software installations and specific features built into supported applications.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1563", "comment": "Disable the remote service (ex: SSH, RDP, etc.) if it is unnecessary.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1563.001", "comment": "Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. (Citation: Symantec SSH and ssh-agent)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1563.002", "comment": "Disable the RDP service if it is unnecessary.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "comment": "If remote services, such as the ability to make direct connections to cloud virtual machines, are not required, disable these connection types where feasible. On ESXi servers, consider enabling lockdown mode, which disables direct access to an ESXi host and requires that the host be managed remotely using vCenter.(Citation: Google Cloud Threat Intelligence ESXi Hardening 2023)(Citation: Broadcom ESXi Lockdown Mode)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "Disable the RDP service if it is unnecessary.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.003", "comment": "Consider disabling DCOM through Dcomcnfg.exe.(Citation: Microsoft Disable DCOM)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.004", "comment": "Disable the SSH daemon on systems that do not require it, especially ESXi servers. For macOS, ensure Remote Login is disabled under Sharing Preferences.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.005", "comment": "Uninstall any VNC server software where not required.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.006", "comment": "Disable the WinRM service.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.008", "comment": "If direct virtual machine connections are not required for administrative use, disable these connection types where feasible.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1091", "comment": "Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if it is not required for business operations. (Citation: TechNet Removable Media Control)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "comment": "Consider disabling software components from servers when possible to prevent abuse by adversaries.(Citation: ITSyndicate Disabling PHP functions)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "Consider disabling functions from web technologies such as PHP\u2019s `evaI()` that may be abused for web shells.(Citation: ITSyndicate Disabling PHP functions)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1649", "comment": "Consider disabling old/dangerous authentication protocols (e.g. NTLM), as well as unnecessary certificate features, such as potentially vulnerable AD CS web and other enrollment server roles.(Citation: SpecterOps Certified Pre Owned)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.005", "comment": "Consider disabling auto-mounting of disk image files (i.e., .iso, .img, .vhd, and .vhdx). This can be achieved by modifying the Registry values related to the Windows Explorer file associations in order to disable the automatic Explorer \"Mount and Burn\" dialog for these file extensions. Note: this will not deactivate the mount functionality itself.(Citation: GitHub MOTW)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "comment": "Many native binaries may not be necessary within a given environment.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1218.003", "comment": "CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation).", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.004", "comment": "InstallUtil may not be necessary within a given environment.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.005", "comment": "Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "Consider disabling the AlwaysInstallElevated policy to prevent elevated execution of Windows Installer packages.(Citation: Microsoft AlwaysInstallElevated 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.008", "comment": "Odbcconf.exe may not be necessary within a given environment.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.009", "comment": "Regsvcs and Regasm may not be necessary within a given environment.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.012", "comment": "Consider removing verclsid.exe if it is not necessary within a given environment.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.013", "comment": "Consider removing mavinject.exe if Microsoft App-V is not used within a given environment.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.014", "comment": "MMC may not be necessary within a given environment since it is primarily used by system administrators, not regular users or clients. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.015", "comment": "Remove or deny access to unnecessary and potentially vulnerable software and features to prevent abuse by adversaries. Many native binaries may not be necessary within a given environment: for example, consider disabling the Node.js integration in all renderers that display remote content to protect users by limiting adversaries\u2019 power to plant malicious JavaScript within Electron applications.(Citation: Electron Security 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1221", "comment": "Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents (Citation: Microsoft Disable Macros), though this setting may not mitigate the [Forced Authentication](https://attack.mitre.org/techniques/T1187) use for this technique.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1205", "comment": "Disable Wake-on-LAN if it is not needed within an environment.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1127", "comment": "Specific developer utilities may not be necessary within a given environment and should be removed if not used.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1127.001", "comment": "MSBuild.exe may not be necessary within an environment and should be removed if not being used.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1127.002", "comment": "Disable ClickOnce installations from the internet using the following registry key: \n`\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Security\\TrustManager\\PromptingLevel \u2014 Internet:Disabled`(Citation: NetSPI ClickOnce)(Citation: Microsoft Learn ClickOnce Config)\n\nClickOnce may not be necessary within an environment and should be disabled if not being used.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1127.003", "comment": "JamPlus may not be necessary within a given environment and should be removed if not used.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.005", "comment": "Disable unnecessary metadata services and restrict or disable insecure versions of metadata services that are in use to prevent adversary access.(Citation: Amazon AWS IMDS V2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Disable or Remove Feature or Program", "color": "#66b1ff"}]}