Skip to content

Instantly share code, notes, and snippets.

@mgraeber-rc

mgraeber-rc/Windows_Application_Control_Mitigation_Coverage.json

Created May 27, 2021 13:44
Show Gist options
  • Save mgraeber-rc/def7a13a53978bdf45d44af9959451d4 to your computer and use it in GitHub Desktop.
Save mgraeber-rc/def7a13a53978bdf45d44af9959451d4 to your computer and use it in GitHub Desktop.
Download ZIP
MITRE ATT&CK Navigator Layer - Windows Application Control Mitigation Coverage: Techniques on Windows endpoints that would be prevented, mitigated, or detected by the enforcement of an application control/application allowlisting solution.
Raw
Windows_Application_Control_Mitigation_Coverage.json
{
"name": "Windows Application Control Mitigation Coverage",
"versions": {
"attack": "9",
"navigator": "4.3",
"layer": "4.2"
},
"domain": "enterprise-attack",
"description": "Techniques on Windows endpoints that would be prevented, mitigated, or detected by the enforcement of an application control/application allowlisting solution.\n\nAuthor: Matt Graeber, Red Canary",
"filters": {
"platforms": [
"Windows"
]
},
"sorting": 0,
"layout": {
"layout": "side",
"aggregateFunction": "average",
"showID": false,
"showName": true,
"showAggregateScores": false,
"countUnscored": false
},
"hideDisabled": false,
"techniques": [
{
"techniqueID": "T1548",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1548",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1548.002",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1548.002",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134",
"tactic": "defense-evasion",
"score": 80,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134",
"tactic": "privilege-escalation",
"score": 80,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.001",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.001",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.002",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.002",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.003",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.003",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.004",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.004",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.005",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1134.005",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1531",
"tactic": "impact",
"score": 0,
"color": "",
"comment": "Custom code that performs this technique would be blocked. Otherwise, this technique isn't addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1087",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1087.001",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1087.002",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1087.003",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1098",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1098.002",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1071",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1071.001",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1071.002",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1071.003",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1071.004",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1010",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1560",
"tactic": "collection",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1560.001",
"tactic": "collection",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1560.002",
"tactic": "collection",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1560.003",
"tactic": "collection",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1123",
"tactic": "collection",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1119",
"tactic": "collection",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1020",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1197",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1197",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547",
"tactic": "persistence",
"score": 80,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547",
"tactic": "privilege-escalation",
"score": 80,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.001",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "Custom code that performs this technique would be blocked. Otherwise, this technique isn't addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.001",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "Custom code that performs this technique would be blocked. Otherwise, this technique isn't addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.002",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.002",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.003",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.003",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.004",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.004",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.005",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.005",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.008",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.008",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.009",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "Custom code that performs this technique would be blocked. Otherwise, this technique isn't addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.009",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "Custom code that performs this technique would be blocked. Otherwise, this technique isn't addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.010",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.010",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.012",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.012",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.014",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Custom code used to perform this would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1547.014",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Custom code used to perform this would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1037",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1037",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1037.001",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1037.001",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1037.003",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1037.003",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1217",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1176",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "Application control does not have insight into controlling the execution of browser extensions.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1110",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1110.001",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1110.002",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1110.003",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1110.004",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1115",
"tactic": "collection",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059",
"tactic": "execution",
"score": 75,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.001",
"tactic": "execution",
"score": 75,
"color": "",
"comment": "App control used in conjunction with Constrained Language Mode is an extremely powerful mitigation against arbitrary PowerShell code execution but unless PowerShell-related executables were outright blocked, execution would not be fully prevented.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.003",
"tactic": "execution",
"score": 50,
"color": "",
"comment": "The Windows Command Shell cannot be used to execute executables not permitted per policy but it will execute executables allowed per policy. It would be unrealistic in most scenarios to block cmd.exe.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.005",
"tactic": "execution",
"score": 100,
"color": "",
"comment": "Executables related to script interpreters like this can be explicitly blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.006",
"tactic": "execution",
"score": 50,
"color": "",
"comment": "If Python is permitted to execute per policy, there are no script enforcement mechanisms built in to the Python interpreter.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1059.007",
"tactic": "execution",
"score": 100,
"color": "",
"comment": "Executables related to script interpreters like this can be explicitly blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1092",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1554",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "It is assumed that these binaries were already approved to execute.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1136",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1136.001",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1136.002",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543.003",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1543.003",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1555",
"tactic": "credential-access",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1555.003",
"tactic": "credential-access",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1555.004",
"tactic": "credential-access",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1555.005",
"tactic": "credential-access",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1485",
"tactic": "impact",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1132",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1132.001",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1132.002",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1486",
"tactic": "impact",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1565",
"tactic": "impact",
"score": 33,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1565.001",
"tactic": "impact",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1565.002",
"tactic": "impact",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1565.003",
"tactic": "impact",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1001",
"tactic": "command-and-control",
"score": 33,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1001.001",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1001.002",
"tactic": "command-and-control",
"score": 50,
"color": "",
"comment": "If custom attacker code were necessary to perform this technique, it would be prevented.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1001.003",
"tactic": "command-and-control",
"score": 50,
"color": "",
"comment": "If custom attacker code were necessary to perform this technique, it would be prevented.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1074",
"tactic": "collection",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1074.001",
"tactic": "collection",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1074.002",
"tactic": "collection",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1030",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1213",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1213.002",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1005",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1039",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1025",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1491",
"tactic": "impact",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1491.001",
"tactic": "impact",
"score": 0,
"color": "",
"comment": "Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1491.002",
"tactic": "impact",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1140",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1006",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "In most cases, custom code is required to perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1561",
"tactic": "impact",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1561.001",
"tactic": "impact",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1561.002",
"tactic": "impact",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1484",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1484",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1484.001",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1484.001",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1484.002",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1484.002",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1482",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1189",
"tactic": "initial-access",
"score": 50,
"color": "",
"comment": "If the download and execution of attacker executable/script code is the vector, then application control can prevent further compromise.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1568",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1568.002",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1568.001",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1568.003",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1114",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1114.001",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1114.002",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1114.003",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1573",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1573.001",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1573.002",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1499",
"tactic": "impact",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1499.001",
"tactic": "impact",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1499.002",
"tactic": "impact",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1499.003",
"tactic": "impact",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1499.004",
"tactic": "impact",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1611",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Application control enforcement in both the container/VM and the host would offer mitigation. Escape opportunities could be present in the form of approved applications, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546",
"tactic": "privilege-escalation",
"score": 70,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546",
"tactic": "persistence",
"score": 70,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.001",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.001",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.002",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.002",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.003",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.003",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.007",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.007",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.008",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.008",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.009",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.009",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.010",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.010",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.011",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Assuming DLL enforcement, application shims designed to load a DLL would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.011",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Assuming DLL enforcement, application shims designed to load a DLL would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.012",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.012",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.013",
"tactic": "privilege-escalation",
"score": 75,
"color": "",
"comment": "Under application control enforcement (assuming Constrained Language mode enforcement), the execution of profiles is restricted but not prevented.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.013",
"tactic": "persistence",
"score": 75,
"color": "",
"comment": "Under application control enforcement (assuming Constrained Language mode enforcement), the execution of profiles is restricted but not prevented.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.015",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, attackers can hijack COM registrations, pointing them to approved COM classes to abuse.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1546.015",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, attackers can hijack COM registrations, pointing them to approved COM classes to abuse.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1480",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1480.001",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities could potentially be used to perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1048",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1048.001",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1048.002",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1048.003",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1041",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1011",
"tactic": "exfiltration",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1011.001",
"tactic": "exfiltration",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1052",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1052.001",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1567",
"tactic": "exfiltration",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1567.001",
"tactic": "exfiltration",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1567.002",
"tactic": "exfiltration",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1190",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1203",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1212",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1211",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1068",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Arbitrary, unprivileged code execution is most commonly a prerequisite for this technique so in many cases, this form of exploitation would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1210",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1133",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1133",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1008",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1083",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1222",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1222.001",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control. Some built-in executable could potentially be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1495",
"tactic": "impact",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked within the context of user-mode.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1187",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1606",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1606.001",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1606.002",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1200",
"tactic": "initial-access",
"score": 50,
"color": "",
"comment": "Application control that can block the loading of device drivers can be an effective mitigation against full weaponization of aspects of this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1564",
"tactic": "defense-evasion",
"score": 8,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1564.001",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1564.003",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1564.004",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1564.005",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1564.006",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "If virtualization software is not required, it can be blocked in policy.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1564.007",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574",
"tactic": "persistence",
"score": 56,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574",
"tactic": "privilege-escalation",
"score": 56,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574",
"tactic": "defense-evasion",
"score": 56,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.010",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.010",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.010",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.005",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.005",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.005",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.011",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.011",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.011",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.009",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.009",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.009",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.007",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.007",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.007",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.008",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.008",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.008",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.001",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.001",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.001",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.002",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.002",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.002",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.012",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.012",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1574.012",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562.001",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562.002",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562.003",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562.004",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1562.006",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070",
"tactic": "defense-evasion",
"score": 30,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070.001",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Built-in utilities exist to perform this technique. An effort would need to be made to enumerate these built-in utilities and determine if they could be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070.003",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "Little can be done to prevent file deletion.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070.004",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "Little can be done to prevent file deletion.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070.005",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Built-in utilities exist to perform this technique. An effort would need to be made to enumerate these built-in utilities and determine if they could be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1070.006",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1202",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Built-in utilities are abused to take advatage of this technique so they would have to be blocked accordingly.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1105",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1490",
"tactic": "impact",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056",
"tactic": "collection",
"score": 75,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056",
"tactic": "credential-access",
"score": 75,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056.001",
"tactic": "collection",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056.001",
"tactic": "credential-access",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056.002",
"tactic": "collection",
"score": 50,
"color": "",
"comment": "Custom code to present an input capture box would be blocked but built-in utilities could likely be employed to present an attacker-controlled input capture box.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056.002",
"tactic": "credential-access",
"score": 50,
"color": "",
"comment": "Custom code to present an input capture box would be blocked but built-in utilities could likely be employed to present an attacker-controlled input capture box.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056.003",
"tactic": "collection",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056.003",
"tactic": "credential-access",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056.004",
"tactic": "collection",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1056.004",
"tactic": "credential-access",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1559",
"tactic": "execution",
"score": 25,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1559.001",
"tactic": "execution",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in COM components can be abused and would need to be blocked accordingly.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1559.002",
"tactic": "execution",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1534",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1570",
"tactic": "lateral-movement",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1185",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1557",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1557",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1557.001",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1557.001",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1557.002",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1557.002",
"tactic": "collection",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036",
"tactic": "defense-evasion",
"score": 20,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036.001",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Code with invalid signatures will not be permitted to execute.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036.002",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036.003",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036.004",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1036.005",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556",
"tactic": "credential-access",
"score": 100,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556.001",
"tactic": "credential-access",
"score": 100,
"color": "",
"comment": "Custom code used to perform this would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556.001",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Custom code used to perform this would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556.001",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Custom code used to perform this would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556.002",
"tactic": "credential-access",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556.002",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1556.002",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1112",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1104",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1106",
"tactic": "execution",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1498",
"tactic": "impact",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1498.001",
"tactic": "impact",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1498.002",
"tactic": "impact",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1046",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1135",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1040",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1040",
"tactic": "discovery",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1095",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1571",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003",
"tactic": "credential-access",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003.001",
"tactic": "credential-access",
"score": 50,
"color": "",
"comment": "Built-in utilities exist to perform this technique. They would have to be explicitly blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003.002",
"tactic": "credential-access",
"score": 50,
"color": "",
"comment": "Built-in utilities exist to perform this technique. They would have to be explicitly blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003.003",
"tactic": "credential-access",
"score": 50,
"color": "",
"comment": "Built-in utilities exist to perform this technique. They would have to be explicitly blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003.006",
"tactic": "credential-access",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, DCSync can be performed over the network.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003.005",
"tactic": "credential-access",
"score": 50,
"color": "",
"comment": "Built-in utilities exist to perform this technique. They would have to be explicitly blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1003.004",
"tactic": "credential-access",
"score": 50,
"color": "",
"comment": "Built-in utilities exist to perform this technique. They would have to be explicitly blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027",
"tactic": "defense-evasion",
"score": 40,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027.001",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027.002",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Approved packed software will still be permitted to run.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027.003",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "If custom attacker code were necessary to perform this technique, it would be prevented.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027.004",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Compilation is often not related to code execution but there may be some exceptions and compilation utililities can be explicitly blocked, if needed.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1027.005",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1137",
"tactic": "persistence",
"score": 33,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1137.006",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement is present",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1137.001",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "Assuming macros are permitted to execute, application control solutions do not have insight into their execution.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1137.003",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1137.005",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1137.004",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1137.002",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement is present",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1201",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1120",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1069",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1069.002",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Built-in utilities exist to perform this technique. An effort would need to be made to enumerate these built-in utilities and determine if they could be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1069.001",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Built-in utilities exist to perform this technique. An effort would need to be made to enumerate these built-in utilities and determine if they could be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1566",
"tactic": "initial-access",
"score": 17,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1566.001",
"tactic": "initial-access",
"score": 50,
"color": "",
"comment": "Attachments within the scope of application control (e.g. PEs, scripts, etc.) would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1566.002",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1566.003",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.001",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.001",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.002",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.002",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.003",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1542.003",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1057",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. There are many built-in utilities, however, that would permit process discovery.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.001",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "While mavinject.exe is a built-in tool to perform injection, application control would block the loading of a DLL that is not explicitly allowed in an allowlist.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.001",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "While mavinject.exe is a built-in tool to perform injection, application control would block the loading of a DLL that is not explicitly allowed in an allowlist.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.002",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.002",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.003",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.003",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.004",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.004",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.005",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.005",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.011",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.011",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.013",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.013",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.012",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1055.012",
"tactic": "privilege-escalation",
"score": 100,
"color": "",
"comment": "This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1572",
"tactic": "command-and-control",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1090",
"tactic": "command-and-control",
"score": 38,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1090.001",
"tactic": "command-and-control",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1090.002",
"tactic": "command-and-control",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1090.003",
"tactic": "command-and-control",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1090.004",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1012",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Query Registry",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1219",
"tactic": "command-and-control",
"score": 50,
"color": "",
"comment": "Would be blocked only if unapproved software is utilized to leverage the technique. Otherwise, application control cannot mitigate this technique against approved software.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1563",
"tactic": "lateral-movement",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1563.002",
"tactic": "lateral-movement",
"score": 50,
"color": "",
"comment": "This comprises built-in functionality. tscon.exe could be explicitly blocked if it was resonable to do so.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021",
"tactic": "lateral-movement",
"score": 10,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021.001",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021.002",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021.003",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021.005",
"tactic": "lateral-movement",
"score": 50,
"color": "",
"comment": "Assuming VNC is a legitimate requirement in an organization, application control is not the solution to mitigate this technique. If not, application control would be an effective solution in preventing the usage of VNC.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1021.006",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1018",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Remote System Discovery",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1091",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1091",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1496",
"tactic": "impact",
"score": 100,
"color": "",
"comment": "Custom code used to perform this would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1207",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1014",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Execution would be prevented but with the privileges required to install a rootkit, the means to disable application control enforcement would likely exist.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053",
"tactic": "execution",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.002",
"tactic": "execution",
"score": 50,
"color": "",
"comment": "Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.002",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.002",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.005",
"tactic": "execution",
"score": 50,
"color": "",
"comment": "Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.005",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1053.005",
"tactic": "privilege-escalation",
"score": 50,
"color": "",
"comment": "Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1029",
"tactic": "exfiltration",
"score": 0,
"color": "",
"comment": "Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1113",
"tactic": "collection",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1505",
"tactic": "persistence",
"score": 67,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1505.001",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1505.002",
"tactic": "persistence",
"score": 100,
"color": "",
"comment": "Custom code used to perform this would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1505.003",
"tactic": "persistence",
"score": 50,
"color": "",
"comment": "Whether or not application control could offer any mitigations is dependend on the server implementation.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1489",
"tactic": "impact",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1129",
"tactic": "execution",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement is present",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.011",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.001",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Associated executables can be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.002",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Control panel extensions are PE files and are implicitly blocked if not explicitly allowed assuming DLL enforcement.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.003",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Associated executables can be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.004",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "This technique is used to load .NET assemblies. Those loads would be blocked by application control assuming DLL enforcement.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.005",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Associated executables can be blocked. When Windows Defender Application Control is enforced, all HTA execution is automatically blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.009",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.010",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.007",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Associated executables can be blocked and some application control solutions can allow/block MSIs.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.008",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Blocked assuming DLL enforcement",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1218.012",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "Associated executables can be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1216",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1216.001",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Execution of scripts can only be blocked by hash. While known hashes can be blocked, older, vulnerable versions can still execute by modifying the file contents without invalidating the signature.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1072",
"tactic": "execution",
"score": 50,
"color": "",
"comment": "Custom deployed executables could be prevented from executing but it would not stop an attacker from deploying code or potentially influencing app control policies using a compromised deployment tool.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1072",
"tactic": "lateral-movement",
"score": 50,
"color": "",
"comment": "Custom deployed executables could be prevented from executing but it would not stop an attacker from deploying code or potentially influencing app control policies using a compromised deployment tool.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1518",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1518.001",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1539",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "Custom code that performs this technique would be blocked. Otherwise, this technique isn't addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1558",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1558.001",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "Golden Ticket",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1558.002",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "Golden Ticket",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1558.003",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "Golden Ticket",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1558.004",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "Golden Ticket",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1553",
"tactic": "defense-evasion",
"score": 30,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1553.002",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Any executable that is signed using a certificate not explicilty approved would be blocked. Application control cannot prevent the execution of code signed with a stolen certificate where that certificate is approved for execution.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1553.003",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in, approved DLLs can be used to subvert trust.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1553.004",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1553.005",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1553.006",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Windows Defender Application Control policies can be signed and UEFI protected against tampering attempts. This control would have to be explicitly enabled.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1195",
"tactic": "initial-access",
"score": 17,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1195.001",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1195.002",
"tactic": "initial-access",
"score": 50,
"color": "",
"comment": "Application control could only mitigate insofar as preventing the execution of malicious software that is not signed with a trusted certificate.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1195.003",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1082",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1614",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1016",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1016.001",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. There are many built-in utilities, however, to perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1049",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. There are many built-in utilities, however, to perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1033",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. There are many built-in utilities, however, to perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1007",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Built-in utilities exist to perform this technique. They would have to be explicitly blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1569",
"tactic": "execution",
"score": 100,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1569.002",
"tactic": "execution",
"score": 100,
"color": "",
"comment": "Service executables not approved per policy would be prevented from executing.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1529",
"tactic": "impact",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1124",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1080",
"tactic": "lateral-movement",
"score": 50,
"color": "",
"comment": "Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1221",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1205",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1205",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1205",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1205.001",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1205.001",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1205.001",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1127",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1127.001",
"tactic": "defense-evasion",
"score": 100,
"color": "",
"comment": "MSBuild binaries can be blocked per policy. This may not be possible on developer systems, however.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1199",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1111",
"tactic": "credential-access",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1552",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1552.001",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1552.002",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1552.004",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1552.006",
"tactic": "credential-access",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550.002",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550.002",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550.003",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1550.003",
"tactic": "lateral-movement",
"score": 0,
"color": "",
"comment": "This technique is not addressed by application control.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1204",
"tactic": "execution",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1204.001",
"tactic": "execution",
"score": 50,
"color": "",
"comment": "Assuming the target of the link attempt to execute something not permitted per policy, application control is a highly effective solution. Application control will not prevent the execution of an attempted exploit of a software vulnerability.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1204.002",
"tactic": "execution",
"score": 50,
"color": "",
"comment": "The attempted execution of any PE or script can be prevented from execution. Delivery of an Office macro, however, as an example is not applicable to application control and is mitigated by other controls.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.001",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.001",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.001",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.001",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.002",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.002",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.002",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.002",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.003",
"tactic": "defense-evasion",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.003",
"tactic": "persistence",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.003",
"tactic": "privilege-escalation",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1078.003",
"tactic": "initial-access",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1125",
"tactic": "collection",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1497",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1497",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1497.001",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1497.001",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1497.002",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1497.002",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1497.003",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1497.003",
"tactic": "discovery",
"score": 50,
"color": "",
"comment": "Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1102",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1102.001",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1102.002",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1102.003",
"tactic": "command-and-control",
"score": 0,
"color": "",
"comment": "Technique is not necessarily related to the execution of arbitrary code on an endpoint.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1047",
"tactic": "execution",
"score": 50,
"color": "",
"comment": "Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
},
{
"techniqueID": "T1220",
"tactic": "defense-evasion",
"score": 50,
"color": "",
"comment": "Associated executables can be blocked but there may be unknown utilities that process XSL that defenders may be unaware of.",
"enabled": true,
"metadata": [],
"showSubtechniques": false
}
],
"gradient": {
"colors": [
"#ff6666",
"#ffe766",
"#8ec843"
],
"minValue": 0,
"maxValue": 100
},
"legendItems": [],
"metadata": [],
"showTacticRowBackground": false,
"tacticRowBackground": "#dddddd",
"selectTechniquesAcrossTactics": true,
"selectSubtechniquesWithParent": false
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment