Created
February 8, 2021 18:58
-
-
Save mgraeber-rc/6abcde0c0b19c0be0b8072876bf24941 to your computer and use it in GitHub Desktop.
Windows-specific MITRE ATT&CK techniques application control prevention assessment. This is a first attempt to assess the extent to which application control solutions would mitigate/prevent attack techniques. Note: this highly subjective assessment assumes a system that enforces an application control solution that at a minimum allows all Windo…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ID | Name | MitigatedByAppControl | Notes | |
|---|---|---|---|---|
| T1001 | Data Obfuscation | Not Applicable | Relevant sub-techniques addressed below | |
| T1001.001 | Junk Data | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1001.002 | Steganography | Limited | If custom attacker code were necessary to perform this technique, it would be prevented. | |
| T1001.003 | Protocol Impersonation | Limited | If custom attacker code were necessary to perform this technique, it would be prevented. | |
| T1003 | OS Credential Dumping | Not Applicable | Relevant sub-techniques addressed below | |
| T1003.001 | LSASS Memory | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
| T1003.002 | Security Account Manager | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
| T1003.003 | NTDS | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
| T1003.004 | LSA Secrets | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
| T1003.005 | Cached Domain Credentials | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
| T1003.006 | DCSync | Limited | Custom code used to perform this would be blocked. Otherwise, DCSync can be performed over the network. | |
| T1005 | Data from Local System | Not Applicable | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1006 | Direct Volume Access | Yes | In most cases, custom code is required to perform this technique. | |
| T1007 | System Service Discovery | Limited | Built-in utilities exist to perform this technique. They would have to be explicitly blocked. | |
| T1008 | Fallback Channels | Not Applicable | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1010 | Application Window Discovery | Limited | Custom code used to perform this would be blocked. | |
| T1011 | Exfiltration Over Other Network Medium | Not Applicable | Relevant sub-techniques addressed below | |
| T1011.001 | Exfiltration Over Bluetooth | Limited | Custom code used to perform this would be blocked. | |
| T1012 | Query Registry | Limited | Custom code used to perform this would be blocked. | |
| T1014 | Rootkit | Yes | Execution would be prevented but with the privileges required to install a rootkit, the means to disable application control enforcement would likely exist. | |
| T1016 | System Network Configuration Discovery | Limited | Custom code used to perform this would be blocked. There are many built-in utilities, however, to perform this technique. | |
| T1018 | Remote System Discovery | Limited | Custom code used to perform this would be blocked. There are many built-in utilities, however, to perform this technique. | |
| T1020 | Automated Exfiltration | No | Application control is not the solution to mitigate this technique. | |
| T1021 | Remote Services | No | Relevant sub-techniques addressed below | |
| T1021.001 | Remote Desktop Protocol | No | Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique. | |
| T1021.002 | SMB/Windows Admin Shares | No | Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique. | |
| T1021.003 | Distributed Component Object Model | No | Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique. | |
| T1021.005 | VNC | Limited | Assuming VNC is a legitimate requirement in an organization, application control is not the solution to mitigate this technique. If not, application control would be an effective solution in preventing the usage of VNC. | |
| T1021.006 | Windows Remote Management | No | Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique. | |
| T1025 | Data from Removable Media | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1027 | Obfuscated Files or Information | Not Applicable | Relevant sub-techniques addressed below | |
| T1027.001 | Binary Padding | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1027.002 | Software Packing | Yes | Approved packed software will still be permitted to run. | |
| T1027.003 | Steganography | Limited | If custom attacker code were necessary to perform this technique, it would be prevented. | |
| T1027.004 | Compile After Delivery | Limited | Compilation is often not related to code execution but there may be some exceptions and compilation utililities can be explicitly blocked, if needed. | |
| T1027.005 | Indicator Removal from Tools | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1029 | Scheduled Transfer | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1030 | Data Transfer Size Limits | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1033 | System Owner/User Discovery | Limited | Custom code used to perform this would be blocked. There are many built-in utilities, however, to perform this technique. | |
| T1036 | Masquerading | Not Applicable | Relevant sub-techniques addressed below | |
| T1036.001 | Invalid Code Signature | Yes | Code with invalid signatures will not be permitted to execute. | |
| T1036.002 | Right-to-Left Override | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1036.003 | Rename System Utilities | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1036.004 | Masquerade Task or Service | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1036.005 | Match Legitimate Name or Location | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1037 | Boot or Logon Initialization Scripts | Not Applicable | Relevant sub-techniques addressed below | |
| T1037.001 | Logon Script (Windows) | Limited | Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed. | |
| T1037.003 | Network Logon Script | Limited | Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed. | |
| T1039 | Data from Network Shared Drive | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1040 | Network Sniffing | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1041 | Exfiltration Over C2 Channel | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1043 | Commonly Used Port | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1046 | Network Service Scanning | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1047 | Windows Management Instrumentation | Limited | Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed. | |
| T1048 | Exfiltration Over Alternative Protocol | Not Applicable | Relevant sub-techniques addressed below | |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1048.003 | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1049 | System Network Connections Discovery | Limited | Custom code used to perform this would be blocked. There are many built-in utilities, however, to perform this technique. | |
| T1052 | Exfiltration Over Physical Medium | Not Applicable | Relevant sub-techniques addressed below | |
| T1052.001 | Exfiltration over USB | No | Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however. | |
| T1053 | Scheduled Task/Job | Limited | Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed. | |
| T1053.002 | At (Windows) | Limited | Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed. | |
| T1053.005 | Scheduled Task | Limited | Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed. | |
| T1055 | Process Injection | Not Applicable | Relevant sub-techniques addressed below | |
| T1055.001 | Dynamic-link Library Injection | Yes | While mavinject.exe is a built-in tool to perform injection, application control would block the loading of a DLL that is not explicitly allowed in an allowlist. | |
| T1055.002 | Portable Executable Injection | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1055.003 | Thread Execution Hijacking | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1055.004 | Asynchronous Procedure Call | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1055.005 | Thread Local Storage | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1055.011 | Extra Window Memory Injection | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1055.012 | Process Hollowing | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1055.013 | Process Doppelgänging | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1056 | Input Capture | Not Applicable | Relevant sub-techniques addressed below | |
| T1056.001 | Keylogging | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1056.002 | GUI Input Capture | Limited | Custom code to present an input capture box would be blocked but built-in utilities could likely be employed to present an attacker-controlled input capture box. | |
| T1056.003 | Web Portal Capture | Limited | Custom code used to perform this would be blocked. | |
| T1056.004 | Credential API Hooking | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1057 | Process Discovery | Limited | Custom code used to perform this would be blocked. There are many built-in utilities, however, that would permit process discovery. | |
| T1059 | Command and Scripting Interpreter | Not Applicable | Relevant sub-techniques addressed below | |
| T1059.001 | PowerShell | Limited | App control used in conjunction with Constrained Language Mode is an extremely powerful mitigation against arbitrary PowerShell code execution but unless PowerShell-related executables were outright blocked, execution would not be fully prevented. | |
| T1059.003 | Windows Command Shell | Limited | The Windows Command Shell cannot be used to execute executables not permitted per policy but it will execute executables allowed per policy. It would be unrealistic in most scenarios to block cmd.exe. | |
| T1059.005 | Visual Basic | Yes | Executables related to script interpreters like this can be explicitly blocked. | |
| T1059.006 | Python | Limited | If Python is permitted to execute per policy, there are no script enforcement mechanisms built in to the Python interpreter. | |
| T1059.007 | JavaScript/JScript | Yes | Executables related to script interpreters like this can be explicitly blocked. | |
| T1068 | Exploitation for Privilege Escalation | Limited | Arbitrary, unprivileged code execution is most commonly a prerequisite for this technique so in many cases, this form of exploitation would be blocked. | |
| T1069 | Permission Groups Discovery | Not Applicable | Relevant sub-techniques addressed below | |
| T1069.001 | Local Groups | Limited | Built-in utilities exist to perform this technique. An effort would need to be made to enumerate these built-in utilities and determine if they could be blocked. | |
| T1069.002 | Domain Groups | Limited | Built-in utilities exist to perform this technique. An effort would need to be made to enumerate these built-in utilities and determine if they could be blocked. | |
| T1070 | Indicator Removal on Host | Not Applicable | Relevant sub-techniques addressed below | |
| T1070.001 | Clear Windows Event Logs | Limited | Built-in utilities exist to perform this technique. An effort would need to be made to enumerate these built-in utilities and determine if they could be blocked. | |
| T1070.003 | Clear Command History | No | Little can be done to prevent file deletion. | |
| T1070.004 | File Deletion | No | Little can be done to prevent file deletion. | |
| T1070.005 | Network Share Connection Removal | Limited | Built-in utilities exist to perform this technique. An effort would need to be made to enumerate these built-in utilities and determine if they could be blocked. | |
| T1070.006 | Timestomp | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1071 | Application Layer Protocol | Not Applicable | Relevant sub-techniques addressed below | |
| T1071.001 | Web Protocols | No | Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution. | |
| T1071.002 | File Transfer Protocols | No | Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution. | |
| T1071.003 | Mail Protocols | No | Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution. | |
| T1071.004 | DNS | No | Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution. | |
| T1072 | Software Deployment Tools | Limited | Custom deployed executables could be prevented from executing but it would not stop an attacker from deploying code or potentially influencing app control policies using a compromised deployment tool. | |
| T1074 | Data Staged | Not Applicable | Relevant sub-techniques addressed below | |
| T1074.001 | Local Data Staging | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1074.002 | Remote Data Staging | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1078 | Valid Accounts | Not Applicable | Relevant sub-techniques addressed below | |
| T1078.001 | Default Accounts | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1078.002 | Domain Accounts | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1078.003 | Local Accounts | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1080 | Taint Shared Content | Limited | Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed. | |
| T1082 | System Information Discovery | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1083 | File and Directory Discovery | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1087 | Account Discovery | Not Applicable | Relevant sub-techniques addressed below | |
| T1087.001 | Local Account | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1087.002 | Domain Account | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1087.003 | Email Account | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1090 | Proxy | Not Applicable | Relevant sub-techniques addressed below | |
| T1090.001 | Internal Proxy | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1090.002 | External Proxy | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1090.003 | Multi-hop Proxy | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1090.004 | Domain Fronting | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1091 | Replication Through Removable Media | No | Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique. | |
| T1092 | Communication Through Removable Media | No | Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique. | |
| T1095 | Non-Application Layer Protocol | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1098 | Account Manipulation | Not Applicable | Relevant sub-techniques addressed below | |
| T1098.002 | Exchange Email Delegate Permissions | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1102 | Web Service | Not Applicable | Relevant sub-techniques addressed below | |
| T1102.001 | Dead Drop Resolver | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1102.002 | Bidirectional Communication | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1102.003 | One-Way Communication | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1104 | Multi-Stage Channels | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1105 | Ingress Tool Transfer | No | Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique. | |
| T1106 | Native API | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1110 | Brute Force | Not Applicable | Relevant sub-techniques addressed below | |
| T1110.001 | Password Guessing | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1110.002 | Password Cracking | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1110.003 | Password Spraying | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1110.004 | Credential Stuffing | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1111 | Two-Factor Authentication Interception | Limited | Custom code used to perform this would be blocked. | |
| T1112 | Modify Registry | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1113 | Screen Capture | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1114 | Email Collection | Not Applicable | Relevant sub-techniques addressed below | |
| T1114.001 | Local Email Collection | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1114.002 | Remote Email Collection | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1114.003 | Email Forwarding Rule | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1115 | Clipboard Data | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1119 | Automated Collection | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1120 | Peripheral Device Discovery | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1123 | Audio Capture | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1124 | System Time Discovery | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1125 | Video Capture | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1127 | Trusted Developer Utilities Proxy Execution | Not Applicable | Relevant sub-techniques addressed below | |
| T1127.001 | MSBuild | Yes | MSBuild binaries can be blocked per policy. This may not be possible on developer systems, however. | |
| T1129 | Shared Modules | Yes | Blocked assuming DLL enforcement is present | |
| T1132 | Data Encoding | Not Applicable | Relevant sub-techniques addressed below | |
| T1132.001 | Standard Encoding | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1132.002 | Non-Standard Encoding | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1133 | External Remote Services | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1134 | Access Token Manipulation | Not Applicable | Relevant sub-techniques addressed below | |
| T1134.001 | Token Impersonation/Theft | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1134.002 | Create Process with Token | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1134.003 | Make and Impersonate Token | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1134.004 | Parent PID Spoofing | Yes | This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite. | |
| T1134.005 | SID-History Injection | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1135 | Network Share Discovery | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1136 | Create Account | Not Applicable | Relevant sub-techniques addressed below | |
| T1136.001 | Local Account | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1136.002 | Domain Account | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1137 | Office Application Startup | Not Applicable | Relevant sub-techniques addressed below | |
| T1137.001 | Office Template Macros | No | Assuming macros are permitted to execute, application control solutions do not have insight into their execution. | |
| T1137.002 | Office Test | Yes | Blocked assuming DLL enforcement is present | |
| T1137.003 | Outlook Forms | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1137.004 | Outlook Home Page | No | Technique is not necessarily related to the execution of arbitrary code on an endpoint. | |
| T1137.005 | Outlook Rules | No | Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique. | |
| T1137.006 | Add-ins | Yes | Blocked assuming DLL enforcement is present | |
| T1140 | Deobfuscate/Decode Files or Information | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1176 | Browser Extensions | No | Application control does not have insight into controlling the execution of browser extensions. | |
| T1185 | Man in the Browser | No | This technique is not addressed by application control. | |
| T1187 | Forced Authentication | No | This technique is not addressed by application control. | |
| T1189 | Drive-by Compromise | Limited | If the download and execution of attacker executable/script code is the vector, then application control can prevent further compromise. | |
| T1190 | Exploit Public-Facing Application | No | This technique is not addressed by application control. | |
| T1195 | Supply Chain Compromise | Not Applicable | Relevant sub-techniques addressed below | |
| T1195.001 | Compromise Software Dependencies and Development Tools | No | This technique is not addressed by application control. | |
| T1195.002 | Compromise Software Supply Chain | Limited | Application control could only mitigate insofar as preventing the execution of malicious software that is not signed with a trusted certificate. | |
| T1195.003 | Compromise Hardware Supply Chain | No | This technique is not addressed by application control. | |
| T1197 | BITS Jobs | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1199 | Trusted Relationship | No | This technique is not addressed by application control. | |
| T1200 | Hardware Additions | Limited | Application control that can block the loading of device drivers can be an effective mitigation against full weaponization of aspects of this technique. | |
| T1201 | Password Policy Discovery | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1202 | Indirect Command Execution | Limited | Built-in utilities are abused to take advatage of this technique so they would have to be blocked accordingly. | |
| T1203 | Exploitation for Client Execution | No | This technique is not addressed by application control. | |
| T1204 | User Execution | Not Applicable | Relevant sub-techniques addressed below | |
| T1204.001 | Malicious Link | Limited | Assuming the target of the link attempt to execute something not permitted per policy, application control is a highly effective solution. Application control will not prevent the execution of an attempted exploit of a software vulnerability. | |
| T1204.002 | Malicious File | Limited | The attempted execution of any PE or script can be prevented from execution. Delivery of an Office macro, however, as an example is not applicable to application control and is mitigated by other controls. | |
| T1205 | Traffic Signaling | Not Applicable | Relevant sub-techniques addressed below | |
| T1205.001 | Port Knocking | No | This technique is not addressed by application control. | |
| T1207 | Rogue Domain Controller | No | This technique is not addressed by application control. | |
| T1210 | Exploitation of Remote Services | No | This technique is not addressed by application control. | |
| T1211 | Exploitation for Defense Evasion | No | This technique is not addressed by application control. | |
| T1212 | Exploitation for Credential Access | No | This technique is not addressed by application control. | |
| T1213 | Data from Information Repositories | Not Applicable | Relevant sub-techniques addressed below | |
| T1213.002 | Sharepoint | No | This technique is not addressed by application control. | |
| T1216 | Signed Script Proxy Execution | Not Applicable | Relevant sub-techniques addressed below | |
| T1216.001 | PubPrn | Limited | Execution of scripts can only be blocked by hash. While known hashes can be blocked, older, vulnerable versions can still execute by modifying the file contents without invalidating the signature. | |
| T1217 | Browser Bookmark Discovery | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1218 | Signed Binary Proxy Execution | Not Applicable | Relevant sub-techniques addressed below | |
| T1218.001 | Compiled HTML File | Yes | Associated executables can be blocked. | |
| T1218.002 | Control Panel | Yes | Control panel extensions are PE files and are implicitly blocked if not explicitly allowed assuming DLL enforcement. | |
| T1218.003 | CMSTP | Yes | Associated executables can be blocked. | |
| T1218.004 | InstallUtil | Yes | This technique is used to load .NET assemblies. Those loads would be blocked by application control assuming DLL enforcement. | |
| T1218.005 | Mshta | Yes | Associated executables can be blocked. When Windows Defender Application Control is enforced, all HTA execution is automatically blocked. | |
| T1218.007 | Msiexec | Yes | Associated executables can be blocked and some application control solutions can allow/block MSIs. | |
| T1218.008 | Odbcconf | Yes | Blocked assuming DLL enforcement | |
| T1218.009 | Regsvcs/Regasm | Yes | Blocked assuming DLL enforcement | |
| T1218.010 | Regsvr32 | Yes | Blocked assuming DLL enforcement | |
| T1218.011 | Rundll32 | Yes | Blocked assuming DLL enforcement | |
| T1218.012 | Verclsid | Yes | Associated executables can be blocked. | |
| T1219 | Remote Access Software | Limited | Would be blocked only if unapproved software is utilized to leverage the technique. Otherwise, application control cannot mitigate this technique against approved software. | |
| T1220 | XSL Script Processing | Limited | Associated executables can be blocked but there may be unknown utilities that process XSL that defenders may be unaware of. | |
| T1221 | Template Injection | No | This technique is not addressed by application control. | |
| T1222 | File and Directory Permissions Modification | Not Applicable | Relevant sub-techniques addressed below | |
| T1222.001 | Windows File and Directory Permissions Modification | No | This technique is not addressed by application control. Some built-in executable could potentially be blocked. | |
| T1480 | Execution Guardrails | Not Applicable | Relevant sub-techniques addressed below | |
| T1480.001 | Environmental Keying | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities could potentially be used to perform this technique. | |
| T1482 | Domain Trust Discovery | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1484 | Domain Policy Modification | Not Applicable | Relevant sub-techniques addressed below | |
| T1484.001 | Group Policy Modification | No | Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution. | |
| T1484.002 | Domain Trust Modification | No | This technique is not addressed by application control. | |
| T1485 | Data Destruction | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1486 | Data Encrypted for Impact | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1489 | Service Stop | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1490 | Inhibit System Recovery | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1491 | Defacement | Not Applicable | Relevant sub-techniques addressed below | |
| T1491.001 | Internal Defacement | No | Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution. | |
| T1491.002 | External Defacement | No | This technique is not addressed by application control. | |
| T1495 | Firmware Corruption | No | This technique is not addressed by application control. | |
| T1496 | Resource Hijacking | Yes | Custom code used to perform this would be blocked. | |
| T1497 | Virtualization/Sandbox Evasion | Not Applicable | Relevant sub-techniques addressed below | |
| T1497.001 | System Checks | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1497.002 | User Activity Based Checks | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1497.003 | Time Based Evasion | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1498 | Network Denial of Service | Not Applicable | Relevant sub-techniques addressed below | |
| T1498.001 | Direct Network Flood | No | This technique is not addressed by application control. | |
| T1498.002 | Reflection Amplification | No | This technique is not addressed by application control. | |
| T1499 | Endpoint Denial of Service | Not Applicable | Relevant sub-techniques addressed below | |
| T1499.001 | OS Exhaustion Flood | No | This technique is not addressed by application control. | |
| T1499.002 | Service Exhaustion Flood | No | This technique is not addressed by application control. | |
| T1499.003 | Application Exhaustion Flood | No | This technique is not addressed by application control. | |
| T1499.004 | Application or System Exploitation | No | This technique is not addressed by application control. | |
| T1505 | Server Software Component | Not Applicable | Relevant sub-techniques addressed below | |
| T1505.001 | SQL Stored Procedures | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1505.002 | Transport Agent | Yes | Custom code used to perform this would be blocked. | |
| T1505.003 | Web Shell | Limited | Whether or not application control could offer any mitigations is dependend on the server implementation. | |
| T1518 | Software Discovery | Not Applicable | Relevant sub-techniques addressed below | |
| T1518.001 | Security Software Discovery | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1529 | System Shutdown/Reboot | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1531 | Account Access Removal | No | Custom code that performs this technique would be blocked. Otherwise, this technique isn't addressed by application control. | |
| T1534 | Internal Spearphishing | No | This technique is not addressed by application control. | |
| T1539 | Steal Web Session Cookie | No | Custom code that performs this technique would be blocked. Otherwise, this technique isn't addressed by application control. | |
| T1542 | Pre-OS Boot | Not Applicable | Relevant sub-techniques addressed below | |
| T1542.001 | System Firmware | No | This technique is not addressed by application control. | |
| T1542.002 | Component Firmware | No | This technique is not addressed by application control. | |
| T1542.003 | Bootkit | No | This technique is not addressed by application control. | |
| T1543 | Create or Modify System Process | Not Applicable | Relevant sub-techniques addressed below | |
| T1543.003 | Windows Service | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1546 | Event Triggered Execution | Not Applicable | Relevant sub-techniques addressed below | |
| T1546.001 | Change Default File Association | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1546.002 | Screensaver | No | This technique is not addressed by application control. | |
| T1546.003 | Windows Management Instrumentation Event Subscription | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1546.007 | Netsh Helper DLL | Yes | Blocked assuming DLL enforcement | |
| T1546.008 | Accessibility Features | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1546.009 | AppCert DLLs | Yes | Blocked assuming DLL enforcement | |
| T1546.010 | AppInit DLLs | Yes | Blocked assuming DLL enforcement | |
| T1546.011 | Application Shimming | Limited | Assuming DLL enforcement, application shims designed to load a DLL would be blocked. | |
| T1546.012 | Image File Execution Options Injection | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1546.013 | PowerShell Profile | Limited | Under application control enforcement (assuming Constrained Language mode enforcement), the execution of profiles is restricted but not prevented. | |
| T1546.015 | Component Object Model Hijacking | Limited | Custom code used to perform this would be blocked. Otherwise, attackers can hijack COM registrations, pointing them to approved COM classes to abuse. | |
| T1547 | Boot or Logon Autostart Execution | Not Applicable | Relevant sub-techniques addressed below | |
| T1547.001 | Registry Run Keys / Startup Folder | No | Custom code that performs this technique would be blocked. Otherwise, this technique isn't addressed by application control. | |
| T1547.002 | Authentication Package | Yes | Blocked assuming DLL enforcement | |
| T1547.003 | Time Providers | Yes | Blocked assuming DLL enforcement | |
| T1547.004 | Winlogon Helper DLL | Yes | Blocked assuming DLL enforcement | |
| T1547.005 | Security Support Provider | Yes | Blocked assuming DLL enforcement | |
| T1547.008 | LSASS Driver | Yes | Blocked assuming DLL enforcement | |
| T1547.009 | Shortcut Modification | No | Custom code that performs this technique would be blocked. Otherwise, this technique isn't addressed by application control. | |
| T1547.010 | Port Monitors | Yes | Blocked assuming DLL enforcement | |
| T1547.012 | Print Processors | Yes | Blocked assuming DLL enforcement | |
| T1548 | Abuse Elevation Control Mechanism | Not Applicable | Relevant sub-techniques addressed below | |
| T1548.002 | Bypass User Account Control | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1550 | Use Alternate Authentication Material | Not Applicable | Relevant sub-techniques addressed below | |
| T1550.002 | Pass the Hash | No | This technique is not addressed by application control. | |
| T1550.003 | Pass the Ticket | No | This technique is not addressed by application control. | |
| T1552 | Unsecured Credentials | Not Applicable | Relevant sub-techniques addressed below | |
| T1552.001 | Credentials In Files | No | This technique is not addressed by application control. | |
| T1552.002 | Credentials in Registry | No | This technique is not addressed by application control. | |
| T1552.004 | Private Keys | No | This technique is not addressed by application control. | |
| T1552.006 | Group Policy Preferences | No | This technique is not addressed by application control. | |
| T1553 | Subvert Trust Controls | Not Applicable | Relevant sub-techniques addressed below | |
| T1553.002 | Code Signing | Limited | Any executable that is signed using a certificate not explicilty approved would be blocked. Application control cannot prevent the execution of code signed with a stolen certificate where that certificate is approved for execution. | |
| T1553.003 | SIP and Trust Provider Hijacking | Limited | Custom code used to perform this would be blocked. Otherwise, built-in, approved DLLs can be used to subvert trust. | |
| T1553.004 | Install Root Certificate | No | This technique is not addressed by application control. | |
| T1554 | Compromise Client Software Binary | No | It is assumed that these binaries were already approved to execute. | |
| T1555 | Credentials from Password Stores | Not Applicable | Relevant sub-techniques addressed below | |
| T1555.003 | Credentials from Web Browsers | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1556 | Modify Authentication Process | Not Applicable | Relevant sub-techniques addressed below | |
| T1556.001 | Domain Controller Authentication | Yes | Custom code used to perform this would be blocked. | |
| T1556.002 | Password Filter DLL | Yes | Blocked assuming DLL enforcement | |
| T1557 | Man-in-the-Middle | Not Applicable | Relevant sub-techniques addressed below | |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | No | This technique is not addressed by application control. | |
| T1557.002 | ARP Cache Poisoning | No | This technique is not addressed by application control. | |
| T1558 | Steal or Forge Kerberos Tickets | Not Applicable | Relevant sub-techniques addressed below | |
| T1558.001 | Golden Ticket | No | This technique is not addressed by application control. | |
| T1558.002 | Silver Ticket | No | This technique is not addressed by application control. | |
| T1558.003 | Kerberoasting | No | This technique is not addressed by application control. | |
| T1558.004 | AS-REP Roasting | No | This technique is not addressed by application control. | |
| T1559 | Inter-Process Communication | Not Applicable | Relevant sub-techniques addressed below | |
| T1559.001 | Component Object Model | Limited | Custom code used to perform this would be blocked. Otherwise, built-in COM components can be abused and would need to be blocked accordingly. | |
| T1559.002 | Dynamic Data Exchange | No | This technique is not addressed by application control. | |
| T1560 | Archive Collected Data | Not Applicable | Relevant sub-techniques addressed below | |
| T1560.001 | Archive via Utility | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1560.002 | Archive via Library | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1560.003 | Archive via Custom Method | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1561 | Disk Wipe | Not Applicable | Relevant sub-techniques addressed below | |
| T1561.001 | Disk Content Wipe | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1561.002 | Disk Structure Wipe | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1562 | Impair Defenses | Not Applicable | Relevant sub-techniques addressed below | |
| T1562.001 | Disable or Modify Tools | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1562.002 | Disable Windows Event Logging | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1562.003 | Impair Command History Logging | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1562.004 | Disable or Modify System Firewall | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1562.006 | Indicator Blocking | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1563 | Remote Service Session Hijacking | Not Applicable | Relevant sub-techniques addressed below | |
| T1563.002 | RDP Hijacking | Limited | This comprises built-in functionality. tscon.exe could be explicitly blocked if it was resonable to do so. | |
| T1564 | Hide Artifacts | Not Applicable | Relevant sub-techniques addressed below | |
| T1564.001 | Hidden Files and Directories | No | This technique is not addressed by application control. | |
| T1564.003 | Hidden Window | No | This technique is not addressed by application control. | |
| T1564.004 | NTFS File Attributes | No | This technique is not addressed by application control. | |
| T1564.005 | Hidden File System | No | This technique is not addressed by application control. | |
| T1564.006 | Run Virtual Instance | Limited | If virtualization software is not required, it can be blocked in policy. | |
| T1564.007 | VBA Stomping | No | This technique is not addressed by application control. | |
| T1565 | Data Manipulation | Not Applicable | Relevant sub-techniques addressed below | |
| T1565.001 | Stored Data Manipulation | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1565.002 | Transmitted Data Manipulation | No | This technique is not addressed by application control. | |
| T1565.003 | Runtime Data Manipulation | Limited | Custom code used to perform this would be blocked. | |
| T1566 | Phishing | Not Applicable | Relevant sub-techniques addressed below | |
| T1566.001 | Spearphishing Attachment | Limited | Attachments within the scope of application control (e.g. PEs, scripts, etc.) would be blocked. | |
| T1566.002 | Spearphishing Link | No | This technique is not addressed by application control. | |
| T1566.003 | Spearphishing via Service | No | This technique is not addressed by application control. | |
| T1567 | Exfiltration Over Web Service | Not Applicable | Relevant sub-techniques addressed below | |
| T1567.001 | Exfiltration to Code Repository | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1567.002 | Exfiltration to Cloud Storage | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1568 | Dynamic Resolution | Not Applicable | Relevant sub-techniques addressed below | |
| T1568.001 | Fast Flux DNS | No | This technique is not addressed by application control. | |
| T1568.002 | Domain Generation Algorithms | No | This technique is not addressed by application control. | |
| T1568.003 | DNS Calculation | No | This technique is not addressed by application control. | |
| T1569 | System Services | Not Applicable | Relevant sub-techniques addressed below | |
| T1569.002 | Service Execution | Yes | Service executables not approved per policy would be prevented from executing. | |
| T1570 | Lateral Tool Transfer | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1571 | Non-Standard Port | No | This technique is not addressed by application control. | |
| T1572 | Protocol Tunneling | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1573 | Encrypted Channel | Not Applicable | Relevant sub-techniques addressed below | |
| T1573.001 | Symmetric Cryptography | No | This technique is not addressed by application control. | |
| T1573.002 | Asymmetric Cryptography | No | This technique is not addressed by application control. | |
| T1574 | Hijack Execution Flow | Not Applicable | Relevant sub-techniques addressed below | |
| T1574.001 | DLL Search Order Hijacking | Yes | Blocked assuming DLL enforcement | |
| T1574.002 | DLL Side-Loading | Yes | Blocked assuming DLL enforcement | |
| T1574.005 | Executable Installer File Permissions Weakness | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1574.007 | Path Interception by PATH Environment Variable | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1574.008 | Path Interception by Search Order Hijacking | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1574.009 | Path Interception by Unquoted Path | Limited | Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique. | |
| T1574.010 | Services File Permissions Weakness | No | This technique is not addressed by application control. | |
| T1574.011 | Services Registry Permissions Weakness | No | This technique is not addressed by application control. | |
| T1574.012 | COR_PROFILER | Yes | Blocked assuming DLL enforcement | |
| T1606 | Forge Web Credentials | Not Applicable | Relevant sub-techniques addressed below | |
| T1606.001 | Web Cookies | No | This technique is not addressed by application control. | |
| T1606.002 | SAML Tokens | No | This technique is not addressed by application control. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment