
Coordinated Credential Abuse Against Enterprise VPN and Email Security Gateways 2
A large-scale, automated campaign focused on abusing login credentials to access enterprise VPN authentication systems, specifically Cisco SSL VPN and Palo Alto Networks GlobalProtect. The operation relied on scripted authentication attempts instead of exploiting technical flaws in the platforms.
Notes
<p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSION</span></p><p style="margin-top: 12pt; margin-bottom: 12pt; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">This campaign highlights a dual challenge for defenders. Attackers combine large-scale credential abuse on VPN gateways with focused attacks on email security appliances, gaining access through weak credentials and then hiding activity using tunnels and log manipulation, which makes detection harder.</span></p><p style="margin-top: 12pt; margin-bottom: 12pt; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">SOCRadar can support SOC teams by bringing these signals together in one place. Its </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;"><a href="https://socradar.io/">Threat Intelligence</a></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> and </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;"><a href="https://socradar.io/solutions/ioc-enrichment-soar-integration/">IOC enrichment</a></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> integrations help teams quickly assess malicious IPs and indicators, while </span><a href="https://socradar.io/products/attack-surface-management/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">Attack Surface Management</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;"> </span></a><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">and </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;"><a href="https://socradar.io/category/digital-risk-protection/">Digital Risk Protection</a></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> help identify exposed VPN and gateway assets that match the attacker’s focus. The </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;"><a href="https://socradar.io/incident-response/">Incident Response</a></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> capabilities allow analysts to link abnormal login activity with follow-up behaviors such as tunneling or missing logs, enabling faster</span></p><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span></div>
Mitigation
<p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITIGATION</span></p><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1133 - External Remote Services</span></p><br><div align="left" style="margin-left: 0pt;"><table style="border: none; border-collapse: collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height: 37.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height: 55.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1042"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1042</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1042"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Disable or Remove Feature or Program</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Disable or block remotely available services that may be unnecessary.</span></p></td></tr><tr style="height: 55.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1035"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1035</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1035"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Limit Access to Resource Over Network</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.</span></p></td></tr><tr style="height: 55.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1032"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1032</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1032"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Multi-factor Authentication</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of </span><a href="https://attack.mitre.org/techniques/T1111"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Multi-Factor Authentication Interception</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> techniques for some two-factor authentication implementations.</span></p></td></tr><tr style="height: 42.25pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1030"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1030</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1030"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network Segmentation</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls.</span></p></td></tr><tr style="height: 55.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1021"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1021</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1021"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict Web-Based Content</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict all traffic to and from public Tor nodes. </span><a href="https://www.cisa.gov/sites/default/files/publications/AA20-183A_Defending_Against_Malicious_Cyber_Activity_Originating_from_Tor_S508C.pdf"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[61]</span></a></p></td></tr></tbody></table></div><br><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1190 - Exploit Public-Facing Application</span></p><br><div align="left" style="margin-left: 0pt;"><table style="border: none; border-collapse: collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height: 37.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height: 55.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1048"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1048</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1048"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Application Isolation and Sandboxing</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Application isolation will limit what other processes and system features the exploited target can access.</span></p></td></tr><tr style="height: 42.25pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1050"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1050</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1050"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Exploit Protection</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.</span></p></td></tr><tr style="height: 68.5pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1037"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1037</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1037"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Filter Network Traffic</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict outbound network traffic from public-facing servers to prevent unauthorized connections from initiating communications with attacker-controlled infrastructure. While this may not prevent the initial exploitation, it limits the attacker's ability to verify and control the compromised server post-exploit, reducing the overall impact of the attack.</span></p></td></tr><tr style="height: 55.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1035"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1035</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1035"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Limit Access to Resource Over Network</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Ensure that all publicly exposed services are actually intended to be so, and restrict access to any that should only be available internally.</span></p></td></tr><tr style="height: 42.25pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1030"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1030</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1030"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network Segmentation</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.</span></p></td></tr><tr style="height: 55.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1026"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1026</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1026"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Privileged Account Management</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system.</span></p></td></tr><tr style="height: 42.25pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1051"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1051</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1051"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Update Software</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Update software regularly by employing patch management for externally exposed applications.</span></p></td></tr><tr style="height: 55.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1016"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1016</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1016"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Vulnerability Scanning</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.</span><a href="https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[10]</span></a></p></td></tr></tbody></table></div><br><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1562.002 - Disable Windows Event Logging</span></p><br><div align="left" style="margin-left: 0pt;"><table style="border: none; border-collapse: collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height: 37.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height: 55.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1047</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Audit</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Consider periodic review of </span><span style="font-size: 8.5pt; font-family: " color: rgb(29, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">auditpol</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> settings for Administrator accounts and perform dynamic baselining on SIEM(s) to investigate potential malicious activity. Also ensure that the EventLog service and its threads are properly running.</span></p></td></tr><tr style="height: 68.5pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1022"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1022</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1022"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict File and Directory Permissions</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with logging or deleting or modifying .evtx logging files. Ensure .evtx files, which are located at </span><span style="font-size: 8.5pt; font-family: " color: rgb(29, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">C:\Windows\system32\Winevt\Logs</span><a href="https://forensicswiki.xyz/wiki/index.php?title=Windows_XML_Event_Log_(EVTX)"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[17]</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">, have the proper file permissions for limited, legitimate access and audit policies for detection.</span></p></td></tr><tr style="height: 55.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1024"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1024</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1024"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict Registry Permissions</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering logging. The addition of the MiniNT registry key disables Event Viewer.</span><a href="https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[18]</span></a></p></td></tr><tr style="height: 55.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1018</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Account Management</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with logging.</span></p></td></tr></tbody></table></div><br><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1572 - Protocol Tunneling</span></p><br><div align="left" style="margin-left: 0pt;"><table style="border: none; border-collapse: collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height: 37.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height: 42.25pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1037"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1037</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1037"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Filter Network Traffic</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Consider filtering network traffic to untrusted or known bad domains and resources.</span></p></td></tr><tr style="height: 55.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1031"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1031</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1031"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network Intrusion Prevention</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.</span></p></td></tr></tbody></table></div><br><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1505.003 - Web Shell</span></p><br><div align="left" style="margin-left: 0pt;"><table style="border: none; border-collapse: collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height: 37.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height: 55.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1042"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1042</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1042"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Disable or Remove Feature or Program</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Consider disabling functions from web technologies such as PHP’s </span><span style="font-size: 10pt; font-family: " color: rgb(29, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">evaI()</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> that may be abused for web shells.</span><a href="https://itsyndicate.org/blog/disabling-dangerous-php-functions/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[78]</span></a></p></td></tr><tr style="height: 42.25pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1018</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Account Management</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Enforce the principle of least privilege by limiting privileges of user accounts so only authorized accounts can modify the web directory.</span><a href="https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[79]</span></a></p></td></tr></tbody></table></div><br><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1090.002 - External Proxy</span></p><br><div align="left" style="margin-left: 0pt;"><table style="border: none; border-collapse: collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height: 37.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height: 82pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1031"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1031</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1031"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network Intrusion Prevention</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.</span><a href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[33]</span></a></p></td></tr></tbody></table></div><br><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1059.006 - Python</span></p><br><div align="left" style="margin-left: 0pt;"><table style="border: none; border-collapse: collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height: 37.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height: 42.25pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1049"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1049</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1049"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Antivirus/Antimalware</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Anti-virus can be used to automatically quarantine suspicious files.</span></p></td></tr><tr style="height: 42.25pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1047</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Audit</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Inventory systems for unauthorized Python installations.</span></p></td></tr><tr style="height: 42.25pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1038"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1038</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1038"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Execution Prevention</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Denylist Python where not required.</span></p></td></tr><tr style="height: 42.25pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1033"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1033</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1033"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Limit Software Installation</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Prevent users from installing Python where not required.</span></p></td></tr></tbody></table></div><br><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1071.001 - Web Protocols</span></p><br><div align="left" style="margin-left: 0pt;"><table style="border: none; border-collapse: collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height: 37.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: bottom; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38; text-align: center;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height: 68.5pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1037"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1037</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1037"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Filter Network Traffic</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict and monitor outbound web traffic (HTTP/HTTPS) from critical servers to only approved destinations. Limiting the ability to initiate outbound HTTP/HTTPS connections, especially from public-facing servers, can prevent attackers from using tools like curl or wget to communicate with external C2 servers or download malicious payloads.</span></p></td></tr><tr style="height: 55.75pt;"><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1031"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1031</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><a href="https://attack.mitre.org/mitigations/M1031"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network Intrusion Prevention</span></a></p></td><td style="border-width: 0.833333pt; border-style: solid; border-color: rgb(223, 223, 223); vertical-align: top; background-color: rgb(242, 242, 242); padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin-top: 0pt; margin-bottom: 0pt; line-height: 1.38;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.</span></p></td></tr></tbody></table></div>