{"description": "Enterprise techniques mitigated by Software Configuration, ATT&CK mitigation M1054 (v1.3)", "name": "Software Configuration (M1054)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1543", "comment": "Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1543.005", "comment": "Where possible, consider enforcing the use of container services in rootless mode to limit the possibility of privilege escalation or malicious effects on the host running the container.  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.005", "comment": "Consider re-locking password managers after a short timeout to limit the time plaintext credentials live in memory from decrypted databases.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1602", "comment": "Allowlist MIB objects and implement SNMP views.(Citation: Cisco Securing SNMP)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1602.001", "comment": "Allowlist MIB objects and implement SNMP views.(Citation: Cisco Securing SNMP)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1602.002", "comment": "Allowlist MIB objects and implement SNMP views. Disable Smart Install (SMI) if not used.(Citation: Cisco Securing SNMP)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213", "comment": "Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed.  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.004", "comment": "Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed.   ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.006", "comment": "Consider implementing data retention policies to automate periodically archiving and/or deleting data that is no longer needed. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685", "comment": "Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1689", "comment": "Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.(Citation: Chromium HSTS)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1667", "comment": "Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Note that additional filtering may be necessary if emails are coming from legitimate sources. ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.013", "comment": "Avoid PowerShell profiles if not needed. Use the -No Profile flag with when executing PowerShell scripts remotely to prevent local profiles and scripts from being executed.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1606", "comment": "Configure browsers/applications to regularly delete persistent web credentials (such as cookies).", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1606.001", "comment": "Configure browsers/applications to regularly delete persistent web cookies.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1590", "showSubtechniques": true}, {"techniqueID": "T1590.002", "comment": "Consider implementing policies for DNS servers, such as Zone Transfer Policies, that enforce a list of validated servers permitted for zone transfers.(Citation: DNS-msft)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "comment": "Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.(Citation: Enigma Reviving DDE Jan 2018)(Citation: GitHub Disable DDEAUTO Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "Consider disabling embedded files in Office programs, such as OneNote, that do not work with Protected View.(Citation: Enigma Reviving DDE Jan 2018)(Citation: GitHub Disable DDEAUTO Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1666", "comment": "In Azure environments, consider setting a policy to block subscription transfers.(Citation: Azure Subscription Policies) In AWS environments, consider using Service Control Policies to prevent the use of the `LeaveOrganization` API call.(Citation: AWS RE:Inforce Threat Detection 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1137", "comment": "For the Office Test method, create the Registry key used to execute it and set the permissions to \"Read Control\" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. (Citation: Palo Alto Office Test Sofacy)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1137.002", "comment": "Create the Registry key used to execute it and set the permissions to \"Read Control\" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation.(Citation: Palo Alto Office Test Sofacy)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "comment": "Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing).\n\nFurthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598", "comment": "Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598.002", "comment": "Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598.003", "comment": "Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nFurthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks. Browser password managers may also be configured to only populate credential fields when the URL matches that of the original, legitimate site. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1677", "comment": "Where possible, avoid allowing pipelines to run unreviewed code. Where this is necessary, ensure that these pipelines are executed on isolated nodes without access to secrets. In GitHub, avoid using the `pull_request_target` trigger if possible, do not treat user-controlled inputs (such as branch names) as trusted, and do not use self-hosted runners on public repositories.  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1688", "comment": "Ensure that endpoint defenses run in safe mode.(Citation: CyberArk Labs Safe Mode 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1684", "showSubtechniques": true}, {"techniqueID": "T1684.002", "comment": "Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "Configure browsers or tasks to regularly delete persistent cookies.\n\nAdditionally, minimize the length of time a web cookie is viable to potentially reduce the impact of stolen cookies while also increasing the needed frequency of cookie theft attempts \u2013 providing defenders with additional chances at detection.(Citation: Token tactics) For example, use non-persistent cookies to limit the duration a session ID will remain on the web client cache where an attacker could obtain it.(Citation: Session Management Cheat Sheet)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "comment": "HTTP Public Key Pinning (HPKP) is one method to mitigate potential [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1553.004", "comment": "HTTP Public Key Pinning (HPKP) is one method to mitigate potential [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1537", "comment": "Configure appropriate data sharing restrictions in cloud services. For example, external sharing in Microsoft SharePoint and Google Drive can be turned off altogether, blocked for certain domains, or restricted to certain users.(Citation: Google Workspace External Sharing) (Citation: Microsoft 365 External Sharing)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1535", "comment": "Cloud service providers may allow customers to deactivate unused regions.(Citation: CloudSploit - Unused AWS Regions)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.004", "comment": "Configure browsers or tasks to regularly delete persistent cookies.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Software Configuration", "color": "#66b1ff"}]}