SOC Incident Toolkit
Back to Campaigns
Silent Recruiters: UNC2970's Trojanized Infiltration

Silent Recruiters: UNC2970's Trojanized Infiltration

MistPenMalwareTrojanizedPDFJobSeekerAttacksUNC2970TEMP.Hermit

UNC2970, a North Korean-backed hacking group, has launched a sophisticated cyber campaign targeting job seekers and major industries like energy and aerospace. Using trojanized PDF readers and luring victims with fake job applications, the group infiltrates critical sectors, deploying the MistPen malware to compromise sensitive data and networks. This campaign highlights the dangerous combination of social engineering and advanced malware tactics, aiming at individuals and organizations alike.

Indicators of Compromise

Domains (6)

cmasedu.comdstvdtt.co.zawww.clinicabaru.cobmtpakistan.comheropersonas.comverisoftsystems.com

Hashes (18)

8c2302c2d43ebe5dda18b8d943436580eca8eb8871c7d8f0c6b9c3ce581416ed1565161807718ced42e482c4ddfd5423c0249c5f110fcb5289954b19f9790ffcf3baee9c48a2f744a16af30220de5066b707f8e3be12694b4470255e2ee58c8128a75771ebdb96d9b49c9369918ca581006cbff5d248ab4a1d756bce989830b991841e006225ac500de7630740a21d91cb1d73323d3d80004ada185844b0d461abd9ded736d5dc690607f935b4f2b58acd6dbf51da042c34c6e7ff7b1641837d2505610c490d24a98da730100175f26268875ce8177794df6bf125b2bb8b8ecc3b84517b57e2c60b09ef02cb127ead9735d2a92bae7b462b57e8a7ef21e7586d008d4116d70062a60b77dcee18660bdccaf67550d2e00b00cefc7b6e95f5a985b7319021441ae4e7d928f2e2d3092a816937057bfbcc9116d6c9b87e2e9f97ade5573d037c7b1286a129e5b5b2e9acc7723e5732879c5211d57249fd

APT Groups

TEMP.Hermit

Korea, Democratic People's Republic of

Notes

<span id="docs-internal-guid-4644ea20-7fff-320d-3d6e-dd3b5b39b812"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSION</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The UNC2970 campaign exemplifies the evolving nature of cyber threats, particularly those orchestrated by state-sponsored actors like North Korea. By targeting job seekers and infiltrating critical sectors such as energy and aerospace, this advanced persistent threat poses significant risks to both individuals and organizations. The use of trojanized PDF readers and sophisticated malware like MistPen highlights the increasing complexity of cyber espionage tactics. It is imperative for organizations to adopt proactive security measures, such as maintaining up-to-date systems, implementing robust monitoring and incident response strategies, and fostering awareness of social engineering threats. Vigilance and comprehensive cybersecurity frameworks are essential to mitigating the impact of such malicious campaigns and securing critical infrastructure from future attacks.</span></p><div><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span></div></span>

Mitigation

<div><span id="docs-internal-guid-5d9c72df-7fff-e116-e10b-aa93bac58dfd"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITIGATION</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1134 - Access Token Manipulation</span></p><div style="margin-left:2.25pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:109pt;"><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1026"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1026</span></a></p></td><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1026"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Privileged Account Management</span></a></p></td><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration &gt; [Policies] &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment: Create a token object. </span><a href="https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[26]</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> Also define who can create a process level token to only the local and network service through GPO: Computer Configuration &gt; [Policies] &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment: Replace a process level token.</span><a href="https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[27]</span></a></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command </span><span style="font-size: 8.5pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">runas</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">.</span><a href="https://technet.microsoft.com/en-us/library/bb490994.aspx"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[28]</span></a></p></td></tr><tr style="height:55.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1018</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Account Management</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.</span></p></td></tr></tbody></table></div><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1059 - Command and Scripting Interpreter</span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:43pt;"><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1049"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1049</span></a></p></td><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1049"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Antivirus/Antimalware</span></a></p></td><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Anti-virus can be used to automatically quarantine suspicious files.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1040"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1040</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1040"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Behavior Prevention on Endpoint</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent </span><a href="https://attack.mitre.org/techniques/T1059/005"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Visual Basic</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> and </span><a href="https://attack.mitre.org/techniques/T1059/007"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">JavaScript</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> scripts from executing potentially malicious downloaded content </span><a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[48]</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">.</span></p></td></tr><tr style="height:42.25pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1045"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1045</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1045"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Code Signing</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Where possible, only permit execution of signed scripts.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1042"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1042</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1042"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Disable or Remove Feature or Program</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Disable or remove any unnecessary or unused shells or interpreters.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1038"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1038</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1038"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Execution Prevention</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use application control where appropriate. For example, PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., </span><span style="font-size: 10pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Add-Type</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">).</span><a href="https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[49]</span></a></p></td></tr><tr style="height:94.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1026"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1026</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1026"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Privileged Account Management</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.</span><a href="https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[50]</span></a></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.</span><a href="https://learn.microsoft.com/powershell/scripting/learn/remoting/jea/overview?view=powershell-7.3"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[51]</span></a></p></td></tr><tr style="height:55.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1021"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1021</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1021"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict Web-Based Content</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.</span></p></td></tr></tbody></table></div><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1036 - Masquerading</span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:43pt;"><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1049"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1049</span></a></p></td><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1049"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Antivirus/Antimalware</span></a></p></td><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Anti-virus can be used to automatically quarantine suspicious files.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1040"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1040</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1040"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Behavior Prevention on Endpoint</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of potentially malicious files (such as those with mismatching file signatures).</span></p></td></tr><tr style="height:42.25pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1045"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1045</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1045"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Code Signing</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Require signed binaries.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1038"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1038</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1038"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Execution Prevention</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1022"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1022</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1022"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict File and Directory Permissions</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use file system access controls to protect folders such as C:\Windows\System32.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1017"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1017</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1017"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Training</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Train users not to open email attachments or click unknown links (URLs). Such training fosters more secure habits within your organization and will limit many of the risks.</span></p></td></tr></tbody></table></div><br><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1566 - Phishing</span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:43pt;"><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1049"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1049</span></a></p></td><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1049"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Antivirus/Antimalware</span></a></p></td><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Anti-virus can automatically quarantine suspicious files.</span></p></td></tr><tr style="height:42.25pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1047</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Audit</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1031"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1031</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1031"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network Intrusion Prevention</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1021"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1021</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1021"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict Web-Based Content</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.</span></p></td></tr><tr style="height:69.25pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1054"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1054</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1054"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Software Configuration</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.</span><a href="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[14]</span></a><a href="https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[15]</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1017"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1017</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1017"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Training</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Users can be trained to identify social engineering techniques and phishing emails.</span></p></td></tr></tbody></table></div><br><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1055 - Process Injection</span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><thead><tr style="height:37.75pt;"><th style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></th><th style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></th><th style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></th></tr><tr style="height:56.5pt;"><th style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1040"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-weight: 400; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1040</span></a></p></th><th style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1040"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-weight: 400; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Behavior Prevention on Endpoint</span></a></p></th><th style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 400; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. For example, on Windows 10, Attack Surface Reduction (ASR) rules may prevent Office applications from code injection. </span><a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-weight: 400; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[85]</span></a></p></th></tr></thead><tbody><tr style="height:69.25pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1026"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1026</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1026"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Privileged Account Management</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor.</span></p></td></tr></tbody></table></div><br><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1574 - Hijack Execution Flow</span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:70pt;"><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1013"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1013</span></a></p></td><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1013"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Application Developer Guidance</span></a></p></td><td style="border-width: 1.5pt 0.75pt 0.75pt; border-style: solid; border-color: rgb(222, 226, 230) rgb(223, 223, 223) rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.</span><a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[7]</span></a></p></td></tr><tr style="height:186.25pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1047</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Audit</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use auditing tools capable of detecting hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for hijacking weaknesses.</span><a href="https://github.com/mattifestation/PowerSploit"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[8]</span></a></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.</span><a href="http://msdn.microsoft.com/en-us/library/ms682425"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[9]</span></a><a href="https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security?redirectedfrom=MSDN"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[10]</span></a><a href="https://skanthak.homepage.t-online.de/sentinel.html"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[11]</span></a></p></td></tr><tr style="height:69.25pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1040"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1040</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1040"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Behavior Prevention on Endpoint</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).</span></p></td></tr><tr style="height:55.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1038"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1038</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1038"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Execution Prevention</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software.</span></p></td></tr><tr style="height:69.25pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1022"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1022</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1022"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict File and Directory Permissions</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Install software in write-protected locations. Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard library folders.</span></p></td></tr><tr style="height:133.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1044"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1044</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1044"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict Library Loading</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. </span><span style="font-size: 8.5pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">%SYSTEMROOT%</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">)to be used before local directory DLLs (e.g. a user's home directory)</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration &gt; [Policies] &gt; Administrative Templates &gt; MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at </span><span style="font-size: 8.5pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode</span><a href="https://msrc-blog.microsoft.com/2010/08/23/more-information-about-the-dll-preloading-remote-attack-vector/"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[12]</span></a><a href="https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[13]</span></a></p></td></tr><tr style="height:55.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1024"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1024</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1024"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict Registry Permissions</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.</span></p></td></tr><tr style="height:42.25pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1051"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1051</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1051"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Update Software</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Update software regularly to include patches that fix DLL side-loading vulnerabilities.</span></p></td></tr><tr style="height:96.25pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1052"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1052</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1052"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Account Control</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Turn off UAC's privilege elevation for standard users </span><span style="font-size: 10pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> to automatically deny elevation requests, add: </span><span style="font-size: 10pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">"ConsentPromptBehaviorUser"=dword:00000000</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">. Consider enabling installer detection for all users by adding: </span><span style="font-size: 10pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">"EnableInstallerDetection"=dword:00000001</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: </span><span style="font-size: 10pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">"EnableInstallerDetection"=dword:00000000</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged. </span><a href="https://seclists.org/fulldisclosure/2015/Dec/34"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[14]</span></a></p></td></tr><tr style="height:94.75pt;"><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1018</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Account Management</span></a></p></td><td style="border-width: 0.75pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory </span><span style="font-size: 10pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">C:</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> and system directories, such as </span><span style="font-size: 10pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">C:\Windows\</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">, to reduce places where malicious files could be placed for execution.</span></p></td></tr></tbody></table></div></span></div>