{"description": "Enterprise techniques mitigated by Application Isolation and Sandboxing, ATT&CK mitigation M1048 (v1.3)", "name": "Application Isolation and Sandboxing (M1048)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1189", "comment": "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.(Citation: Windows Blogs Microsoft Edge Sandbox)(Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nOther types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist for these types of systems.(Citation: Ars Technica Pwn2Own 2017 VM Escape)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1611", "comment": "Consider utilizing seccomp, seccomp-bpf, or a similar solution that restricts certain system calls such as mount. In Kubernetes environments, consider defining Pod Security Standards that limit container access to host process namespaces, the host network, and the host file system.(Citation: Kubernetes Hardening Guide)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "Application isolation will limit what other processes and system features the exploited target can access.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1203", "comment": "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nOther types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. Risks of additional exploits and weaknesses in those systems may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1212", "comment": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist.(Citation: Ars Technica Pwn2Own 2017 VM Escape)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1211", "comment": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1210", "comment": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "comment": "Ensure all COM alerts and Protected View are enabled.(Citation: Microsoft Protected View)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "Ensure all COM alerts and Protected View are enabled.(Citation: Microsoft Protected View)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "Ensure Protected View is enabled.(Citation: Microsoft Protected View)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.006", "comment": "Use Browser Extensions or Built-in Security Tools that:\n\n- Monitor JavaScript API calls such as `Blob`, `URL.createObjectURL,` and `msSaveOrOpenBlob`\n- Intercept and analyze HTML5 `download` attributes for suspicious payload generation\n- Alert or block behaviors that match known HTML smuggling patterns (e.g., blob-to-disk payload construction)\n\nApply Content Security Policy (CSP) headers to:\n\n- Restrict inline JavaScript and dynamic script generation\n- Disallow downloads from unauthorized sources or blob URIs\n- Prevent cross-origin resource sharing (CORS) abuse commonly used in smuggling chains\n\nEnable or enforce enterprise browser security controls, such as:\n\n- Endpoint's Network Protection and Attack Surface Reduction (ASR) rules, which can block Office and browser processes from creating child processes or writing to disk in suspicious ways\n- Google Chrome Enterprise Policies, which can control file download behavior, restrict extensions, and isolate risky browsing environments\n\nDeploy browser sandboxing solutions that can isolate JavaScript execution environments and enforce behavioral policy restrictions", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.017", "comment": "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.003", "comment": "Ensure all COM alerts and Protected View are enabled.(Citation: Microsoft Protected View)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Application Isolation and Sandboxing", "color": "#66b1ff"}]}