SOC Incident Toolkit
Back to Campaigns
North Korean Konni Group s DevSupply Campaign

North Korean Konni Group s DevSupply Campaign

KonniDPRKAIGeneratedMalwareSupplyChainRiskBlockchainSecurity

Campaign is an advanced cyber espionage campaign attributed to the North Korea-linked Konni group, targeting blockchain and cryptocurrency developers. The campaign spreads through phishing content disguised as developer projects or collaboration offers. Victims are lured into executing an AI-generated PowerShell backdoor that evades analysis, establishes persistence via scheduled tasks, disables security controls, and connects to attacker infrastructure. The objective is to access developer environments, source code, API keys, and sensitive digital asset data.

APT Groups

Kimsuky

KR

Opal Sleet

KP

Notes

<span id="docs-internal-guid-d980bfee-7fff-ccca-815e-1c5b9f743836"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSION<br></span><span style="color: rgb(0, 0, 0); font-family: Arial, sans-serif; font-size: 11pt; font-weight: 700;"><br><span style="letter-spacing: -0.00833em;">Defending the Modern Development Lifecycle</span></span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Konni DevSupply</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> campaign is a stark reminder that the "human element" in the software supply chain—the developers themselves—remains a primary target for sophisticated APT groups. By integrating </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">AI-assisted development</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> into their arsenal, attackers have increased both the speed and the deceptive quality of their malicious payloads, making traditional detection methods increasingly obsolete.</span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">A successful defense requires more than just awareness; it necessitates an integrated, proactive security posture that monitors both external threats and internal behaviors.<br></span><span style="color: rgb(0, 0, 0); font-family: Arial, sans-serif; font-size: 11pt;"><br><b>The SOCRadar Advantage</b></span></p><p style="line-height:1.38;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">SOCRadar’s ecosystem provides a comprehensive shield against the specific tactics used in the DevSupply campaign:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:12pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Continuous Visibility:</span><span style="font-size: 11pt; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> </span><span style="font-size: 11pt; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Cyber</span><span style="font-size: 11pt; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> </span><span style="font-size: 11pt; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Threat Intelligence</span><span style="font-size: 11pt; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> module ensures you aren't hunting in the dark, providing updated IoCs to preemptively block Konni’s evolving infrastructure.</span></p></li><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Behavioral Detection:</span><span style="font-size: 11pt; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> Through </span><span style="font-size: 11pt; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Threat Hunting</span><span style="font-size: 11pt; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">, teams can spot the subtle "fingerprints" of an intrusion, such as persistence scripts, even when the initial malware is unknown.</span></p></li><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">External Safeguards:</span><span style="font-size: 11pt; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> </span><span style="font-size: 11pt; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Digital Risk Protection</span><span style="font-size: 11pt; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> acts as an early warning system, flagging the phishing domains and fake personas used to trick developers.</span></p></li><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;" role="presentation"><span style="font-size: 11pt; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Risk Reduction:</span><span style="font-size: 11pt; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> </span><span style="font-size: 11pt; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Attack Surface Management</span><span style="font-size: 11pt; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> ensures that the tools and environments developers use are hardened and monitored, minimizing the entry points available to attackers.</span></p></li></ul><p style="line-height:1.38;margin-left: 30pt;margin-right: 30pt;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Final Thought:</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> As APT groups operationalize AI to weaponize the supply chain, organizations must counter with AI-driven intelligence. SOCRadar ensures that your security teams move at the same speed as your adversaries, protecting your code, your people, and your reputation.</span></p><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span></div></span>

Mitigation

<span id="docs-internal-guid-dd21bd74-7fff-7b7d-9976-0e564d49c131"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITIGATION</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Spearphishing Link (T1566.002)</span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:42.25pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1047</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Audit</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1021"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1021</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1021"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict Web-Based Content</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.</span></p></td></tr><tr style="height:94pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1054"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1054</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1054"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Software Configuration</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.</span><a href="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[139]</span></a><a href="https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[140]</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1018</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Account Management</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Azure AD Administrators apply limitations upon the ability for users to grant consent to unfamiliar or unverified third-party applications.</span></p></td></tr><tr style="height:95.5pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1017"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1017</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1017"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Training</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Use email warning banners to alert users when emails contain links from external senders, prompting them to exercise caution and reducing the likelihood of falling victim to spearphishing attacks. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites.</span></p></td></tr></tbody></table></div><br><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">&nbsp;SyncAppvPublishingServer (T1216.002)</span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1038"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1038</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1038"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Execution Prevention</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.</span></p></td></tr></tbody></table></div><br><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Scheduled Task/Job: Scheduled Task(T1053.005)</span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1047</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Audit</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. </span><a href="https://github.com/mattifestation/PowerSploit"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[249]</span></a></p></td></tr><tr style="height:82pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1028"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1028</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1028"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Operating System Configuration</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration &gt; [Policies] &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. </span><a href="https://technet.microsoft.com/library/jj852168.aspx"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[250]</span></a></p></td></tr><tr style="height:68.5pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1026"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1026</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1026"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Privileged Account Management</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration &gt; [Policies] &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment: Increase scheduling priority. </span><a href="https://technet.microsoft.com/library/dn221960.aspx"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[251]</span></a></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1018</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Account Management</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.</span></p></td></tr></tbody></table></div><br><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Impair Defenses: Disable or Modify Tools(T1562.001)</span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:68.5pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1047</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1047"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Audit</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Periodically verify that tools are functioning appropriately – for example, that all expected hosts with EDRs or monitoring agents are checking in to the central console. Check EDRs to ensure that no unexpected exclusion paths have been added. In Microsoft Defender for Endpoint, exclusions can be reviewed with the </span><span style="font-size: 8.5pt; font-family: &quot; color: rgb(29, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Get-MpPreference</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> cmdlet.</span><a href="https://medium.com/codex/my-learnings-on-microsoft-defender-for-endpoint-and-exclusions-ddacf2fdd047"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[160]</span></a></p></td></tr><tr style="height:68.5pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1038"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1038</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1038"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Execution Prevention</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1022"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1022</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1022"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict File and Directory Permissions</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1024"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1024</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1024"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Restrict Registry Permissions</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1018</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Account Management</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.</span></p></td></tr></tbody></table></div></span>