{"description": "Enterprise techniques mitigated by Audit, ATT&CK mitigation M1047 (v1.3)", "name": "Audit (M1047)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "comment": "Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.(Citation: Github UACMe)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.(Citation: Github UACMe)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1548.006", "comment": "Routinely check applications using Automation under Security &amp; Privacy System Preferences. To reset permissions, user's can utilize the `tccutil reset` command. When using Mobile Device Management (MDM), review the list of enabled or disabled applications in the `MDMOverrides.plist` which overrides the TCC database.(Citation: TCC macOS bypass)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.004", "comment": "Routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "System scans can be performed to identify unauthorized archival utilities.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "System scans can be performed to identify unauthorized archival utilities.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1612", "comment": "Audit images deployed within the environment to ensure they do not contain any malicious components.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1671", "comment": "Periodically review SaaS integrations for unapproved or potentially malicious applications.  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "comment": "Inventory systems for unauthorized command and scripting interpreter installations.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "Inventory systems for unauthorized Python installations.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.011", "comment": "Inventory systems for unauthorized Lua installations.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "comment": "Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543.004", "comment": "Use auditing tools capable of detecting folder permissions abuse opportunities on systems, especially reviewing changes made to folders by third-party software.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1530", "comment": "Frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.(Citation: Amazon S3 Security, 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1213", "comment": "Consider periodic review of accounts and privileges for critical and sensitive repositories. Ensure that repositories such as cloud-hosted databases are not unintentionally exposed to the public, and that security groups assigned to them permit only necessary and authorized hosts.(Citation: AWS DB VPC)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1213.001", "comment": "Consider periodic review of accounts and privileges for critical and sensitive Confluence repositories.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.002", "comment": "Consider periodic review of accounts and privileges for critical and sensitive SharePoint repositories.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.003", "comment": "Consider periodic reviews of accounts and privileges for critical and sensitive code repositories. Scan code repositories for exposed credentials or other sensitive information.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.004", "comment": "Consider periodic review of accounts and privileges for critical and sensitive CRM data.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.005", "comment": "Preemptively search through communication services to find inappropriately shared data, and take actions to reduce exposure when found. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.006", "comment": "Consider periodic review of accounts and privileges for critical and sensitive databases. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1610", "comment": "Scan images before deployment, and block those that are not in compliance with security policies. In Kubernetes environments, the admission controller can be used to validate images after a container deployment request is authenticated but before the container is deployed.(Citation: Kubernetes Hardening Guide)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1686", "comment": "Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1686.001", "comment": "Routinely check account role permissions to ensure only expected users and roles have permission to modify cloud firewalls. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1686.002", "comment": "Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1686.003", "comment": "Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685", "comment": "Periodically verify that tools are functioning appropriately \u2013 for example, that all expected hosts with EDRs or monitoring agents are checking in to the central console. Check EDRs to ensure that no unexpected exclusion paths have been added. In Microsoft Defender for Endpoint, exclusions can be reviewed with the `Get-MpPreference` cmdlet.(Citation: CodeX Microsoft Defender 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1685.001", "comment": "Consider periodic review of auditpol settings for Administrator accounts and perform dynamic baselining on SIEM(s) to investigate potential malicious activity. Also ensure that the EventLog service and its threads are properly running.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685.004", "comment": "Routinely check account role permissions to ensure only expected users and roles have permission to modify logging settings.\n\nTo ensure Audit rules can not be modified at runtime, add the `auditctl -e 2` as the last command in the audit.rules files. Once started, any attempt to change the configuration in this mode will be audited and denied. The configuration can only be changed by rebooting the machine.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1484", "comment": "Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as [BloodHound](https://attack.mitre.org/software/S0521) (version 1.5.1 and later)(Citation: GitHub Bloodhound).", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1484.001", "comment": "Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as [BloodHound](https://attack.mitre.org/software/S0521) (version 1.5.1 and later).(Citation: GitHub Bloodhound)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1482", "comment": "Map the trusts within existing domains/forests and keep trust relationships to a minimum.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "comment": "Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis.\n\nIn an Exchange environment, Administrators can use Get-InboxRule to discover and remove potentially malicious auto-forwarding rules.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1114.003", "comment": "Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis.\n\nIn an Exchange environment, Administrators can use `Get-InboxRule` / `Remove-InboxRule` and `Get-TransportRule` / `Remove-TransportRule` to discover and remove potentially malicious auto-fowarding and transport rules.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Microsoft Manage Mail Flow Rules 2023)(Citation: Microsoft Get-InboxRule) In addition to this, a MAPI Editor can be utilized to examine the underlying database structure and discover any modifications/tampering of the properties of auto-forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.006", "comment": "Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn't included as part of an update, it should be investigated.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1606", "comment": "Administrators should perform an audit of all access lists and the permissions they have been granted to access web applications and services. This should be done extensively on all resources in order to establish a baseline, followed up on with periodic audits of new or updated resources. Suspicious accounts/credentials should be investigated and removed.\n \nEnable advanced auditing on ADFS. Check the success and failure audit options in the ADFS Management snap-in. Enable Audit Application Generated events on the AD FS farm via Group Policy Object.(Citation: FireEye ADFS)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1606.001", "comment": "Administrators should perform an audit of all access lists and the permissions they have been granted to access web applications and services. This should be done extensively on all resources in order to establish a baseline, followed up on with periodic audits of new or updated resources. Suspicious accounts/credentials should be investigated and removed.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1606.002", "comment": "Enable advanced auditing on AD FS. Check the success and failure audit options in the AD FS Management snap-in. Enable Audit Application Generated events on the AD FS farm via Group Policy Object.(Citation: FireEye ADFS)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "comment": "Periodically audit virtual machines for abnormalities.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1564.006", "comment": "Periodically audit virtual machines for abnormalities. On ESXi servers, periodically compare the output of `vim-cmd vmsvc/getallvms`, which lists all VMs in vCenter, and `escxli vm process list | grep Display`, which lists all VMs hosted on ESXi.(Citation: MITRE VMware Abuse 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.008", "comment": "Enterprise email solutions may have monitoring mechanisms that may include the ability to audit inbox rules on a regular basis. \n\nIn an Exchange environment, Administrators can use `Get-InboxRule` / `Remove-InboxRule` and `Get-TransportRule` / `Remove-TransportRule` to discover and remove potentially malicious inbox and transport rules.(Citation: Microsoft Get-InboxRule)(Citation: Microsoft Manage Mail Flow Rules 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "comment": "Use auditing tools capable of detecting hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for hijacking weaknesses.(Citation: Powersploit)\n\nUse the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.\n\nFind and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.\n\nClean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.(Citation: Microsoft CreateProcess)(Citation: Microsoft Dynamic-Link Library Security)(Citation: Vulnerability and Exploit Detector)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses.(Citation: Powersploit)\n\nUse the program `sxstrace.exe` that is included with Windows, along with manual inspection, to check manifest files for side-by-side problems in software.(Citation: Microsoft Sxstrace)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.005", "comment": "Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.(Citation: Powersploit)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.007", "comment": "Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.\n\nClean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.(Citation: Microsoft CreateProcess)(Citation: Microsoft Dynamic-Link Library Security)(Citation: Vulnerability and Exploit Detector)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.008", "comment": "Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.\n\nClean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.(Citation: Microsoft CreateProcess)(Citation: Microsoft Dynamic-Link Library Security)(Citation: Vulnerability and Exploit Detector)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.009", "comment": "Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.\n\nClean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.(Citation: Microsoft CreateProcess)(Citation: Microsoft Dynamic-Link Library Security)(Citation: Vulnerability and Exploit Detector)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.010", "comment": "Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.(Citation: Powersploit)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1525", "comment": "Periodically check the integrity of images and containers used in cloud deployments to ensure they have not been modified to include malicious software.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.008", "comment": "In an Exchange environment, Administrators can use `Get-TransportRule` / `Remove-TransportRule` to discover and remove potentially malicious transport rules.(Citation: Microsoft Manage Mail Flow Rules 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "Audit user accounts to ensure that each one has a defined purpose.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.010", "comment": "Audit user accounts to ensure that each one has a defined purpose.  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.012", "comment": "Review and limit the fingerprinting surface to only necessary information on each browser to make the browser less unique. For example, the available fonts may be limited to a standard font list. (Citation: W3C)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556", "comment": "Review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.\n\nPeriodically review the hybrid identity solution in use for any discrepancies. For example, review all Pass Through Authentication (PTA) agents in the Azure Management Portal to identify any unwanted or unapproved ones.(Citation: Mandiant Azure AD Backdoors) If ADFS is in use, review DLLs and executable files in the AD FS and Global Assembly Cache directories to ensure that they are signed by Microsoft. Note that in some cases binaries may be catalog-signed, which may cause the file to appear unsigned when viewing file properties.(Citation: MagicWeb)\n\nPeriodically review for new and unknown network provider DLLs within the Registry (`HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\\\NetworkProvider\\ProviderPath`). Ensure only valid network provider DLLs are registered. The name of these can be found in the Registry key at `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order`, and have corresponding service subkey pointing to a DLL at `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentC ontrolSet\\Services\\\\NetworkProvider`.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1556.006", "comment": "Review MFA actions alongside authentication logs to ensure that MFA-based logins are functioning as intended. Review user accounts to ensure that all accounts have MFA enabled.(Citation: Mandiant Cloudy Logs 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.007", "comment": "Periodically review the hybrid identity solution in use for any discrepancies. For example, review all PTA agents in the Entra ID Management Portal to identify any unwanted or unapproved ones.(Citation: Mandiant Azure AD Backdoors) If ADFS is in use, review DLLs and executable files in the AD FS and Global Assembly Cache directories to ensure that they are signed by Microsoft. Note that in some cases binaries may be catalog-signed, which may cause the file to appear unsigned when viewing file properties.(Citation: MagicWeb)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.008", "comment": "Periodically review for new and unknown network provider DLLs within the Registry (`HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\\\NetworkProvider\\ProviderPath`).\n\nEnsure only valid network provider DLLs are registered. The name of these can be found in the Registry key at `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order`, and have corresponding service subkey pointing to a DLL at `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentC ontrolSet\\Services\\\\NetworkProvider`.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1578", "comment": "Routinely monitor user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1578.001", "comment": "Routinely check user permissions to ensure only the expected users have the capability to create snapshots and backups.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1578.002", "comment": "Routinely check user permissions to ensure only the expected users have the capability to create new instances.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1578.003", "comment": "Routinely check user permissions to ensure only the expected users have the capability to delete new instances.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1578.005", "comment": "Routinely monitor user permissions to ensure only the expected users have the capability to request quota adjustments or modify tenant-level compute settings.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1666", "comment": "Periodically audit resource groups in the cloud management console to ensure that only expected items exist, especially close to the top of the hierarchy (e.g., AWS accounts and Azure subscriptions). Typically, top-level accounts (such as the AWS management account) should not contain any workloads or resources.(Citation: AWS Management Account Best Practices)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "Periodically investigate ESXi hosts for open VMCI ports. Running the `lsof -A` command and inspecting results with a type of `SOCKET_VMCI` will reveal processes that have open VMCI ports.(Citation: Google Cloud Threat Intelligence ESXi Hardening 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "comment": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "Enable auditing and monitoring for email attachments and file transfers to detect and investigate suspicious activity. Regularly review logs for anomalies related to attachments containing potentially malicious content, as well as any attempts to execute or interact with these files. This practice helps identify spearphishing attempts before they can lead to further compromise.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.003", "comment": "Implement auditing and logging for interactions with third-party messaging services or collaboration platforms. Monitor user activity and review logs for signs of suspicious links, downloads, or file exchanges that could indicate spearphishing attempts. Effective auditing allows for the quick identification of malicious activity originating from compromised service accounts.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1653", "comment": "Periodically inspect systems for abnormal and unexpected power settings that may indicate malicious activty.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1542", "comment": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542.004", "comment": "Periodically check the integrity of system image to ensure it has not been modified. (Citation: Cisco IOS Software Integrity Assurance - Image File Integrity) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification) (Citation: Cisco IOS Software Integrity Assurance - Change Control) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542.005", "comment": "Periodically check the integrity of the running configuration and system image to ensure they have not been modified. (Citation: Cisco IOS Software Integrity Assurance - Image File Verification) (Citation: Cisco IOS Software Integrity Assurance - Image File Integrity) (Citation: Cisco IOS Software Integrity Assurance - Change Control) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1563", "showSubtechniques": true}, {"techniqueID": "T1563.002", "comment": "Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "comment": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.005", "comment": "Inventory workstations for unauthorized VNC server software.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "comment": "Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. (Citation: Powersploit)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1053.002", "comment": "Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. (Citation: Powersploit) Windows operating system also creates a registry key specifically associated with the creation of a scheduled task on the destination host at: Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\At1. (Citation: Secureworks - AT.exe Scheduled Task) In Linux and macOS environments, scheduled tasks using [at](https://attack.mitre.org/software/S0110) can be audited locally, or through centrally collected logging, using syslog, or auditd events from the host. (Citation: Kifarunix - Task Scheduling in Linux)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053.003", "comment": "Review changes to the cron schedule. cron execution can be reviewed within the /var/log directory. To validate the location of the cron log file, check the syslog config at /etc/rsyslog.conf or /etc/syslog.conf.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. (Citation: Powersploit)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1593", "comment": "Scan public code repositories for exposed credentials or other sensitive information before making commits. Ensure that any leaked credentials are removed from the commit history, not just the current latest version of the code.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1593.003", "comment": "Scan public code repositories for exposed credentials or other sensitive information before making commits. Ensure that any leaked credentials are removed from the commit history, not just the current latest version of the code.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505", "comment": "Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1505.001", "comment": "Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505.002", "comment": "Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505.004", "comment": "Regularly check installed IIS components to verify the integrity of the web server and identify if unexpected changes have been made.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505.005", "comment": "Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505.006", "comment": "Periodically audit ESXi hosts to ensure that only approved VIBs are installed. The command `esxcli software vib list` lists installed VIBs, while the command `esxcli software vib signature verify` verifies the signatures of installed VIBs.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1684", "comment": "Enables correlation of email/identity/SaaS/endpoint activity that appears legitimate.(Citation: Proofpoint TA427 April 2024)(Citation: Unit 42 Global Incident Response Report 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1176", "comment": "Ensure extensions that are installed are the intended ones, as many malicious extensions may masquerade as legitimate ones. ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1176.001", "comment": " Ensure extensions that are installed are the intended ones, as many malicious extensions will masquerade as legitimate ones.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1176.002", "comment": "Ensure extensions that are installed are the intended ones, as many malicious extensions may masquerade as legitimate ones. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1528", "comment": "Administrators should audit all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate.  Additionally, administrators should perform an audit of all OAuth applications and the permissions they have been granted to access organizational data. This should be done extensively on all applications in order to establish a baseline, followed up on with periodic audits of new or updated applications. Suspicious applications should be investigated and removed.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1649", "comment": "Check and remediate unneeded existing authentication certificates as well as common abusable misconfigurations of CA settings and permissions, such as AD CS certificate enrollment permissions and published overly permissive certificate templates (which define available settings for created certificates). For example, available AD CS certificate templates can be checked via the Certificate Authority MMC snap-in (`certsrv.msc`). `certutil.exe` can also be used to examine various information within an AD CS CA database.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub PSPKIAudit)(Citation: GitHub Certify)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1558", "comment": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1558.004", "comment": "Kerberos preauthentication is enabled by default. Older protocols might not support preauthentication therefore it is possible to have this setting disabled. Make sure that all accounts have preauthentication whenever possible and audit changes to setting. Windows tools such as PowerShell may be used to easily find which accounts have preauthentication disabled.  (Citation: Microsoft Preauthentication Jul 2012)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1558.005", "comment": "Enable and perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.(Citation: Brining MimiKatz to Unix) For example, use auditd to audit access to hashes, machine tickets, or /tmp files. If using sssd and Vintela, ensure kerberos is disabled if not being used.(Citation: audits linikatz)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "Implement auditing for authentication activities and user logins to detect the use of stolen session cookies. Monitor for impossible travel scenarios and anomalous behavior that could indicate the use of compromised session tokens or cookies.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "comment": "Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "Preemptively search for files containing passwords and take actions to reduce the exposure risk when found.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.002", "comment": "Proactively search for credentials within the Registry and attempt to remediate the risk.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "Ensure only authorized keys are allowed access to critical resources and audit access lists regularly.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.006", "comment": "Search SYSVOL for any existing GGPs that may contain credentials and remove them.(Citation: ADSecurity Finding Passwords in SYSVOL)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.008", "comment": "Preemptively search through communication services to find shared unsecured credentials. Searching for common patterns like \"password is \", \u201cpassword=\u201d and take actions to reduce exposure when found. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550", "comment": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550.001", "comment": "Administrators should audit all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Where possible, the ability to request temporary account tokens on behalf of another accounts should be disabled. Additionally, administrators can leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.003", "comment": "Audit images deployed within the environment to ensure they do not contain any malicious components.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Audit", "color": "#66b1ff"}]}