| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1550.002 | Pass the Hash |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. An example of this for Pass the Hash is to update software by applying patch KB2871997 to Windows 7 and higher systems, limiting the default access of accounts in the local administrator group.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1552.006 | Group Policy Preferences |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. An example of this for Group Policy Preferences (GPPs) is to update software by applying patch KB2962486 which prevents credentials from being stored in group policy preferences.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1539 | Steal Web Session Cookie |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Regularly updating web browsers, password managers, and related software to the latest versions reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or steal web session cookies.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1072 | Software Deployment Tools |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching software deployment tools and systems regularly helps prevent potential remote access through Exploitation for Privilege Escalation.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1542.001 | System Firmware |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching the BIOS and EFI as necessary helps to prevent adversaries from modifying system firmware.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1542 | Pre-OS Boot |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. Patching the BIOS and EFI as necessary helps prevent adversaries from abusing Pre-OS Boot mechanisms.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1137.005 | Outlook Rules |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. An example of this is installing patches Microsoft has released to help to address abuse of Microsoft Outlook rules.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1137.004 | Outlook Home Page |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, exploitation via Outlook Home Page can be prevented by applying Microsoft KB4011162 to systems, which removes the legacy Home Page feature.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1137.003 | Outlook Forms |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, exploitation via Outlook Forms can be mitigated by applying Microsoft KB4011091 which disables custom forms by default.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1137 | Office Application Startup |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, Microsoft has released several patches to help address leveraging of Microsoft Office-based applications for persistence between startups.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1574.002 | DLL Side-Loading |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, applying patches that fix DLL side-loading vulnerabilities mitigates the execution of malicious payloads by side-loading DLLs.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1574 | Hijack Execution Flow |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly to include patches that fix DLL side-loading vulnerabilities can help mitigate execution of malicious payloads by hijacking execution flow.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1495 | Firmware Corruption |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, patching the BIOS and other firmware can help prevent adversaries from overwriting or corrupting firmware.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1546.011 | Application Shimming |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, to prevent use of application shimming to bypass UAC, Microsoft released patch KB3045645 that will remove the "auto-elevate" flag within the sdbinst.exe.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1546.010 | AppInit DLLs |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, upgrading to Windows 8 or later and enabling secure boot can help prevent execution of malicious content via AppInit DLLs.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1546 | Event Triggered Execution |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, performing regular software updates can mitigate potential event triggered execution exploitation risks.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1189 | Drive-by Compromise |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, ensure all browsers and plugins are kept updated to help prevent the exploit phase of Drive-by Compromise.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1602.002 | Network Device Configuration Dump |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated and migrating to SNMPv3 can help prevent adversary access of network configuration files.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1602.001 | SNMP (MIB Dump) |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated and migrating to SNMPv3 can help prevent adversaries from collecting MIB content directly from SNMP-managed devices.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1602 | Data from Configuration Repository |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, keeping system images and software updated can help prevent adversaries from collecting data related to managed devices from configuration repositories.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1555.005 | Password Managers |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, regularly updating web browsers, password managers, and related software reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1555.003 | Credentials from Web Browsers |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, regularly updating web browsers, password managers, and related software reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1555 | Credentials from Password Stores |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, performing regular software updates mitigates adversary exploitation of password storage locations to obtain user credentials.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1176 | Browser Extensions |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, ensuring operating systems and browsers are using the most current version helps prevent adversaries from abusing Internet browser extensions or plugins.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1548.002 | Bypass User Account Control |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating Windows to the latest version and patch level provides the latest protective measures against UAC bypass.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1548 | Abuse Elevation Control Mechanism |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, performing regular software updates is recommended to help mitigate exploitation risk via abuse of elevation control mechanisms.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1195 | Supply Chain Compromise |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1210 | Exploitation of Remote Services |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can mitigate exploitation of remote services.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1211 | Exploitation for Defense Evasion |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of a system or application vulnerability to bypass security features.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1190 | Exploit Public-Facing Application |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of a weakness in an Internet-facing host or system to initially access a network.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1068 | Exploitation for Privilege Escalation |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of software vulnerabilities to elevate privileges.
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1212 | Exploitation for Credential Access |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, updating software regularly by employing patch management for internal enterprise endpoints and servers can help prevent adversary exploitation of software vulnerabilities to collect credentials.
|