| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1021.002 | SMB/Windows Admin Shares |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may transfer tools, payloads, or other malware between systems in a compromised environment, such as between a VM and host system. Hypervisor hardening may help in monitoring and restricting unexpected network share access, such as files transferred between shares within a network using protocols such as SMB by virtualized technologies.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1570 | Lateral Tool Transfer |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may transfer tools, payloads, or other malware between systems in a compromised environment, such as between a VM and host system. Hypervisor hardening may help in monitoring and restricting unexpected network share access, such as files transferred between shares within a network using protocols such as SMB by virtualized technologies.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1213 | Data from Information Repositories |
Comments
The diagnostic statement outlines several mechanisms that organizations can use to protect endpoint systems with virtualization technologies, focusing primarily on hypervisor hardening. By implementing hypervisor hardening measures—such as requiring multi-factor authentication to restrict access to resources and information stored in the cloud from various virtual machines, organizations may help prevent data leakage caused by adversaries exploiting VM instances.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1098 | Account Manipulation |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. Use multi-factor authentication for user and privileged accounts running virtual machines.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1129 | Shared Modules |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1567 | Exfiltration Over Web Service |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1204 | User Execution |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1525 | Implant Internal Image |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Periodically baselining virtual machine images to identify malicious modifications or additions may aid in mitigating this technique and with mitigating interactions with images that are modified anomalously.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1080 | Taint Shared Content |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may deliver payloads to host systems by adding content to shared storage and file locations, such as a shared directory between the host and virtual machine. Hypervisor hardening can restrict or limit the ability to of the virtualized machine to taint shared content, making it harder for attackers to manipulate shared content.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1552.001 | Credentials In Files |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may search host shared directories/filed between a VM and host device to find files of interest, specifically credentials in files. Hypervisor hardening can restrict or limit the ability to access files containing insecurely stored credentials between the virtualized machine and host system, making it harder for attackers to collect data from host shared files.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1039 | Data from Network Shared Drive |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may search host shared directories between a VM and host device to find files of interest. Hypervisor hardening can restrict or limit the ability to share files between the virtualized machine and host system, making it harder for attackers to collect data from host shared directories.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1562 | Impair Defenses |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. Hypervisor hardening can limit the ability of virtual machines to disable or modify security tools or configurations within the host system, making it harder for attackers to evade detection.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578 | Modify Cloud Compute Infrastructure |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. The creation of a new instance or VM is a common part of operations within many cloud environments. Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1210 | Exploitation of Remote Services |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of unpatched vulnerabilities of your virtualized technologies.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of unpatched vulnerabilities of your virtualized technologies.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of unpatched vulnerabilities of your virtualized technologies.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1212 | Exploitation for Credential Access |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of unpatched vulnerabilities of your virtualized technologies.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1203 | Exploitation for Client Execution |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of unpatched vulnerabilities of your virtualized technologies.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of unpatched vulnerabilities of your virtualized technologies. Application isolation will limit what other processes and system features the exploited target can access, thus aiding with mitigations related to exploiting public facing applications.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1611 | Escape to Host |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. For the Escape to Host technique, Consider utilizing seccomp, seccomp-bpf, or a similar solution that restricts certain system calls such as mount. In Kubernetes environments, consider defining Pod Security Standards that limit container access to host process namespaces, the host network, and the host file system.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1189 | Drive-by Compromise |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to the Drive-By-Compromise, browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. Other types of virtualization and application micro-segmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist for these types of systems.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1525 | Implant Internal Image |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Periodically checking the integrity of images and containers used in virtualized deployments to ensure they have not been modified to include malicious software may aid in mitigating this type of adversary technique.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1612 | Build Image on Host |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. Mitigating mechanisms such as network segmentation, limiting access to resources over the network, and privileged account management may aid in limiting malicious images with direct remote access to internal systems through the use of network proxies, gateways, privileged accounts, and firewalls.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1485 | Data Destruction |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. They may delete virtual machines from on-prem virtualized environments. For example, implementing multi-factor authentication (MFA) delete for cloud storage resources, such as AWS S3 buckets, to prevent unauthorized deletion of critical data and infrastructure.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1204.003 | Malicious Image |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may rely on a user running a malicious image to facilitate execution. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the virtualized instance or container. Mitigating controls such as execution prevention, NIPS, EDRs and behavior prevention on endpoints may provide mitigating mechanisms to prevent the running of executables coming from virtualized machines onto the host or network.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1204 | User Execution |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may rely on a user running a malicious image to facilitate execution. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the virtualized instance or container. Mitigating controls such as execution prevention, NIPS, EDRs and behavior prevention on endpoints may provide mitigating mechanisms to prevent the running of executables coming from virtualized machines onto the host or network.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578.005 | Modify Cloud Compute Configurations |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578.004 | Revert Cloud Instance |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578.003 | Delete Cloud Instance |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578.002 | Create Cloud Instance |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578.001 | Create Snapshot |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1578 | Modify Cloud Compute Infrastructure |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots. To aid in mitigating this technique, consider limiting user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1564.006 | Run Virtual Instance |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may carry out malicious operations using a virtual instance to avoid detection. After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system. To aid in mitigating this technique, consider using application control mechanisms to mitigate installation and use of unapproved virtualization software, shared folders not necessary within a given environment, and periodically audit virtual machines for abnormalities.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1651 | Cloud Administration Command |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. To help with mitigating this technique, consider limiting the number of cloud accounts with permissions to remotely execute commands on virtual machines, and ensure that these are not used for day-to-day operations.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1210 | Exploitation of Remote Services |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1212 | Exploitation for Credential Access |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1203 | Exploitation for Client Execution |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. Application isolation will limit what other processes and system features the exploited target can access, thus aiding with mitigations related to exploiting public facing applications.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1027.006 | HTML Smuggling |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes this technique, browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1611 | Escape to Host |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. For the Escape to Host technique, consider utilizing solutions that restricts certain system calls such as mount from the virtualized machine to the host. In Kubernetes environments, consider defining Pod Security Standards that limit container access to host process namespaces, the host network, and the host file system.
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1189 | Drive-by Compromise |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to the Drive-By-Compromise, browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. Other types of virtualization and application micro-segmentation may also mitigate the impact of client-side exploitation from the virtualized machine.
|