Skip to content

Instantly share code, notes, and snippets.

@mgraeber-rc
Created February 8, 2021 18:58
Show Gist options
  • Save mgraeber-rc/6abcde0c0b19c0be0b8072876bf24941 to your computer and use it in GitHub Desktop.
Save mgraeber-rc/6abcde0c0b19c0be0b8072876bf24941 to your computer and use it in GitHub Desktop.
Windows-specific MITRE ATT&CK techniques application control prevention assessment. This is a first attempt to assess the extent to which application control solutions would mitigate/prevent attack techniques. Note: this highly subjective assessment assumes a system that enforces an application control solution that at a minimum allows all Windo…
ID Name MitigatedByAppControl Notes
T1001 Data Obfuscation Not Applicable Relevant sub-techniques addressed below
T1001.001 Junk Data No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1001.002 Steganography Limited If custom attacker code were necessary to perform this technique, it would be prevented.
T1001.003 Protocol Impersonation Limited If custom attacker code were necessary to perform this technique, it would be prevented.
T1003 OS Credential Dumping Not Applicable Relevant sub-techniques addressed below
T1003.001 LSASS Memory Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.002 Security Account Manager Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.003 NTDS Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.004 LSA Secrets Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.005 Cached Domain Credentials Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1003.006 DCSync Limited Custom code used to perform this would be blocked. Otherwise, DCSync can be performed over the network.
T1005 Data from Local System Not Applicable Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1006 Direct Volume Access Yes In most cases, custom code is required to perform this technique.
T1007 System Service Discovery Limited Built-in utilities exist to perform this technique. They would have to be explicitly blocked.
T1008 Fallback Channels Not Applicable Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1010 Application Window Discovery Limited Custom code used to perform this would be blocked.
T1011 Exfiltration Over Other Network Medium Not Applicable Relevant sub-techniques addressed below
T1011.001 Exfiltration Over Bluetooth Limited Custom code used to perform this would be blocked.
T1012 Query Registry Limited Custom code used to perform this would be blocked.
T1014 Rootkit Yes Execution would be prevented but with the privileges required to install a rootkit, the means to disable application control enforcement would likely exist.
T1016 System Network Configuration Discovery Limited Custom code used to perform this would be blocked. There are many built-in utilities, however, to perform this technique.
T1018 Remote System Discovery Limited Custom code used to perform this would be blocked. There are many built-in utilities, however, to perform this technique.
T1020 Automated Exfiltration No Application control is not the solution to mitigate this technique.
T1021 Remote Services No Relevant sub-techniques addressed below
T1021.001 Remote Desktop Protocol No Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.
T1021.002 SMB/Windows Admin Shares No Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.
T1021.003 Distributed Component Object Model No Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.
T1021.005 VNC Limited Assuming VNC is a legitimate requirement in an organization, application control is not the solution to mitigate this technique. If not, application control would be an effective solution in preventing the usage of VNC.
T1021.006 Windows Remote Management No Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.
T1025 Data from Removable Media No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1027 Obfuscated Files or Information Not Applicable Relevant sub-techniques addressed below
T1027.001 Binary Padding No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1027.002 Software Packing Yes Approved packed software will still be permitted to run.
T1027.003 Steganography Limited If custom attacker code were necessary to perform this technique, it would be prevented.
T1027.004 Compile After Delivery Limited Compilation is often not related to code execution but there may be some exceptions and compilation utililities can be explicitly blocked, if needed.
T1027.005 Indicator Removal from Tools No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1029 Scheduled Transfer No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1030 Data Transfer Size Limits No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1033 System Owner/User Discovery Limited Custom code used to perform this would be blocked. There are many built-in utilities, however, to perform this technique.
T1036 Masquerading Not Applicable Relevant sub-techniques addressed below
T1036.001 Invalid Code Signature Yes Code with invalid signatures will not be permitted to execute.
T1036.002 Right-to-Left Override No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1036.003 Rename System Utilities No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1036.004 Masquerade Task or Service No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1036.005 Match Legitimate Name or Location No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1037 Boot or Logon Initialization Scripts Not Applicable Relevant sub-techniques addressed below
T1037.001 Logon Script (Windows) Limited Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.
T1037.003 Network Logon Script Limited Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.
T1039 Data from Network Shared Drive No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1040 Network Sniffing No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1041 Exfiltration Over C2 Channel No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1043 Commonly Used Port No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1046 Network Service Scanning No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1047 Windows Management Instrumentation Limited Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.
T1048 Exfiltration Over Alternative Protocol Not Applicable Relevant sub-techniques addressed below
T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1049 System Network Connections Discovery Limited Custom code used to perform this would be blocked. There are many built-in utilities, however, to perform this technique.
T1052 Exfiltration Over Physical Medium Not Applicable Relevant sub-techniques addressed below
T1052.001 Exfiltration over USB No Application control is not the solution to mitigate this technique. The use of custom code to perform this technique would be blocked, however.
T1053 Scheduled Task/Job Limited Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.
T1053.002 At (Windows) Limited Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.
T1053.005 Scheduled Task Limited Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.
T1055 Process Injection Not Applicable Relevant sub-techniques addressed below
T1055.001 Dynamic-link Library Injection Yes While mavinject.exe is a built-in tool to perform injection, application control would block the loading of a DLL that is not explicitly allowed in an allowlist.
T1055.002 Portable Executable Injection Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1055.003 Thread Execution Hijacking Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1055.004 Asynchronous Procedure Call Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1055.005 Thread Local Storage Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1055.011 Extra Window Memory Injection Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1055.012 Process Hollowing Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1055.013 Process Doppelgänging Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1056 Input Capture Not Applicable Relevant sub-techniques addressed below
T1056.001 Keylogging Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1056.002 GUI Input Capture Limited Custom code to present an input capture box would be blocked but built-in utilities could likely be employed to present an attacker-controlled input capture box.
T1056.003 Web Portal Capture Limited Custom code used to perform this would be blocked.
T1056.004 Credential API Hooking Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1057 Process Discovery Limited Custom code used to perform this would be blocked. There are many built-in utilities, however, that would permit process discovery.
T1059 Command and Scripting Interpreter Not Applicable Relevant sub-techniques addressed below
T1059.001 PowerShell Limited App control used in conjunction with Constrained Language Mode is an extremely powerful mitigation against arbitrary PowerShell code execution but unless PowerShell-related executables were outright blocked, execution would not be fully prevented.
T1059.003 Windows Command Shell Limited The Windows Command Shell cannot be used to execute executables not permitted per policy but it will execute executables allowed per policy. It would be unrealistic in most scenarios to block cmd.exe.
T1059.005 Visual Basic Yes Executables related to script interpreters like this can be explicitly blocked.
T1059.006 Python Limited If Python is permitted to execute per policy, there are no script enforcement mechanisms built in to the Python interpreter.
T1059.007 JavaScript/JScript Yes Executables related to script interpreters like this can be explicitly blocked.
T1068 Exploitation for Privilege Escalation Limited Arbitrary, unprivileged code execution is most commonly a prerequisite for this technique so in many cases, this form of exploitation would be blocked.
T1069 Permission Groups Discovery Not Applicable Relevant sub-techniques addressed below
T1069.001 Local Groups Limited Built-in utilities exist to perform this technique. An effort would need to be made to enumerate these built-in utilities and determine if they could be blocked.
T1069.002 Domain Groups Limited Built-in utilities exist to perform this technique. An effort would need to be made to enumerate these built-in utilities and determine if they could be blocked.
T1070 Indicator Removal on Host Not Applicable Relevant sub-techniques addressed below
T1070.001 Clear Windows Event Logs Limited Built-in utilities exist to perform this technique. An effort would need to be made to enumerate these built-in utilities and determine if they could be blocked.
T1070.003 Clear Command History No Little can be done to prevent file deletion.
T1070.004 File Deletion No Little can be done to prevent file deletion.
T1070.005 Network Share Connection Removal Limited Built-in utilities exist to perform this technique. An effort would need to be made to enumerate these built-in utilities and determine if they could be blocked.
T1070.006 Timestomp Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1071 Application Layer Protocol Not Applicable Relevant sub-techniques addressed below
T1071.001 Web Protocols No Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution.
T1071.002 File Transfer Protocols No Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution.
T1071.003 Mail Protocols No Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution.
T1071.004 DNS No Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution.
T1072 Software Deployment Tools Limited Custom deployed executables could be prevented from executing but it would not stop an attacker from deploying code or potentially influencing app control policies using a compromised deployment tool.
T1074 Data Staged Not Applicable Relevant sub-techniques addressed below
T1074.001 Local Data Staging Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1074.002 Remote Data Staging Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1078 Valid Accounts Not Applicable Relevant sub-techniques addressed below
T1078.001 Default Accounts No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1078.002 Domain Accounts No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1078.003 Local Accounts No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1080 Taint Shared Content Limited Application control cannot prevent the usage/abuse of this technique but it can limit the impact by restricting what is executed.
T1082 System Information Discovery Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1083 File and Directory Discovery Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1087 Account Discovery Not Applicable Relevant sub-techniques addressed below
T1087.001 Local Account Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1087.002 Domain Account Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1087.003 Email Account Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1090 Proxy Not Applicable Relevant sub-techniques addressed below
T1090.001 Internal Proxy Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1090.002 External Proxy Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1090.003 Multi-hop Proxy Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1090.004 Domain Fronting No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1091 Replication Through Removable Media No Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.
T1092 Communication Through Removable Media No Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.
T1095 Non-Application Layer Protocol No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1098 Account Manipulation Not Applicable Relevant sub-techniques addressed below
T1098.002 Exchange Email Delegate Permissions Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1102 Web Service Not Applicable Relevant sub-techniques addressed below
T1102.001 Dead Drop Resolver No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1102.002 Bidirectional Communication No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1102.003 One-Way Communication No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1104 Multi-Stage Channels No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1105 Ingress Tool Transfer No Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.
T1106 Native API Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1110 Brute Force Not Applicable Relevant sub-techniques addressed below
T1110.001 Password Guessing No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1110.002 Password Cracking No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1110.003 Password Spraying No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1110.004 Credential Stuffing No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1111 Two-Factor Authentication Interception Limited Custom code used to perform this would be blocked.
T1112 Modify Registry Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1113 Screen Capture Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1114 Email Collection Not Applicable Relevant sub-techniques addressed below
T1114.001 Local Email Collection No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1114.002 Remote Email Collection No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1114.003 Email Forwarding Rule No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1115 Clipboard Data Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1119 Automated Collection Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1120 Peripheral Device Discovery Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1123 Audio Capture Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1124 System Time Discovery Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1125 Video Capture Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1127 Trusted Developer Utilities Proxy Execution Not Applicable Relevant sub-techniques addressed below
T1127.001 MSBuild Yes MSBuild binaries can be blocked per policy. This may not be possible on developer systems, however.
T1129 Shared Modules Yes Blocked assuming DLL enforcement is present
T1132 Data Encoding Not Applicable Relevant sub-techniques addressed below
T1132.001 Standard Encoding No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1132.002 Non-Standard Encoding No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1133 External Remote Services No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1134 Access Token Manipulation Not Applicable Relevant sub-techniques addressed below
T1134.001 Token Impersonation/Theft Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1134.002 Create Process with Token Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1134.003 Make and Impersonate Token Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1134.004 Parent PID Spoofing Yes This technique requires arbitrary code execution to perform so either an exploit or app control bypass would first be required as a prerequisite.
T1134.005 SID-History Injection No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1135 Network Share Discovery Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1136 Create Account Not Applicable Relevant sub-techniques addressed below
T1136.001 Local Account Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1136.002 Domain Account Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1137 Office Application Startup Not Applicable Relevant sub-techniques addressed below
T1137.001 Office Template Macros No Assuming macros are permitted to execute, application control solutions do not have insight into their execution.
T1137.002 Office Test Yes Blocked assuming DLL enforcement is present
T1137.003 Outlook Forms No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1137.004 Outlook Home Page No Technique is not necessarily related to the execution of arbitrary code on an endpoint.
T1137.005 Outlook Rules No Application control is not the solution to mitigate this technique but it can serve as a mitigating prevention after an attacker has gained access using this technique.
T1137.006 Add-ins Yes Blocked assuming DLL enforcement is present
T1140 Deobfuscate/Decode Files or Information Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1176 Browser Extensions No Application control does not have insight into controlling the execution of browser extensions.
T1185 Man in the Browser No This technique is not addressed by application control.
T1187 Forced Authentication No This technique is not addressed by application control.
T1189 Drive-by Compromise Limited If the download and execution of attacker executable/script code is the vector, then application control can prevent further compromise.
T1190 Exploit Public-Facing Application No This technique is not addressed by application control.
T1195 Supply Chain Compromise Not Applicable Relevant sub-techniques addressed below
T1195.001 Compromise Software Dependencies and Development Tools No This technique is not addressed by application control.
T1195.002 Compromise Software Supply Chain Limited Application control could only mitigate insofar as preventing the execution of malicious software that is not signed with a trusted certificate.
T1195.003 Compromise Hardware Supply Chain No This technique is not addressed by application control.
T1197 BITS Jobs Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1199 Trusted Relationship No This technique is not addressed by application control.
T1200 Hardware Additions Limited Application control that can block the loading of device drivers can be an effective mitigation against full weaponization of aspects of this technique.
T1201 Password Policy Discovery Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1202 Indirect Command Execution Limited Built-in utilities are abused to take advatage of this technique so they would have to be blocked accordingly.
T1203 Exploitation for Client Execution No This technique is not addressed by application control.
T1204 User Execution Not Applicable Relevant sub-techniques addressed below
T1204.001 Malicious Link Limited Assuming the target of the link attempt to execute something not permitted per policy, application control is a highly effective solution. Application control will not prevent the execution of an attempted exploit of a software vulnerability.
T1204.002 Malicious File Limited The attempted execution of any PE or script can be prevented from execution. Delivery of an Office macro, however, as an example is not applicable to application control and is mitigated by other controls.
T1205 Traffic Signaling Not Applicable Relevant sub-techniques addressed below
T1205.001 Port Knocking No This technique is not addressed by application control.
T1207 Rogue Domain Controller No This technique is not addressed by application control.
T1210 Exploitation of Remote Services No This technique is not addressed by application control.
T1211 Exploitation for Defense Evasion No This technique is not addressed by application control.
T1212 Exploitation for Credential Access No This technique is not addressed by application control.
T1213 Data from Information Repositories Not Applicable Relevant sub-techniques addressed below
T1213.002 Sharepoint No This technique is not addressed by application control.
T1216 Signed Script Proxy Execution Not Applicable Relevant sub-techniques addressed below
T1216.001 PubPrn Limited Execution of scripts can only be blocked by hash. While known hashes can be blocked, older, vulnerable versions can still execute by modifying the file contents without invalidating the signature.
T1217 Browser Bookmark Discovery Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1218 Signed Binary Proxy Execution Not Applicable Relevant sub-techniques addressed below
T1218.001 Compiled HTML File Yes Associated executables can be blocked.
T1218.002 Control Panel Yes Control panel extensions are PE files and are implicitly blocked if not explicitly allowed assuming DLL enforcement.
T1218.003 CMSTP Yes Associated executables can be blocked.
T1218.004 InstallUtil Yes This technique is used to load .NET assemblies. Those loads would be blocked by application control assuming DLL enforcement.
T1218.005 Mshta Yes Associated executables can be blocked. When Windows Defender Application Control is enforced, all HTA execution is automatically blocked.
T1218.007 Msiexec Yes Associated executables can be blocked and some application control solutions can allow/block MSIs.
T1218.008 Odbcconf Yes Blocked assuming DLL enforcement
T1218.009 Regsvcs/Regasm Yes Blocked assuming DLL enforcement
T1218.010 Regsvr32 Yes Blocked assuming DLL enforcement
T1218.011 Rundll32 Yes Blocked assuming DLL enforcement
T1218.012 Verclsid Yes Associated executables can be blocked.
T1219 Remote Access Software Limited Would be blocked only if unapproved software is utilized to leverage the technique. Otherwise, application control cannot mitigate this technique against approved software.
T1220 XSL Script Processing Limited Associated executables can be blocked but there may be unknown utilities that process XSL that defenders may be unaware of.
T1221 Template Injection No This technique is not addressed by application control.
T1222 File and Directory Permissions Modification Not Applicable Relevant sub-techniques addressed below
T1222.001 Windows File and Directory Permissions Modification No This technique is not addressed by application control. Some built-in executable could potentially be blocked.
T1480 Execution Guardrails Not Applicable Relevant sub-techniques addressed below
T1480.001 Environmental Keying Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities could potentially be used to perform this technique.
T1482 Domain Trust Discovery Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1484 Domain Policy Modification Not Applicable Relevant sub-techniques addressed below
T1484.001 Group Policy Modification No Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution.
T1484.002 Domain Trust Modification No This technique is not addressed by application control.
T1485 Data Destruction Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1486 Data Encrypted for Impact Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1489 Service Stop Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1490 Inhibit System Recovery Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1491 Defacement Not Applicable Relevant sub-techniques addressed below
T1491.001 Internal Defacement No Custom code that performs this technique would be blocked. Otherwise, this technique isn't necessarily related to endpoint code execution.
T1491.002 External Defacement No This technique is not addressed by application control.
T1495 Firmware Corruption No This technique is not addressed by application control.
T1496 Resource Hijacking Yes Custom code used to perform this would be blocked.
T1497 Virtualization/Sandbox Evasion Not Applicable Relevant sub-techniques addressed below
T1497.001 System Checks Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1497.002 User Activity Based Checks Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1497.003 Time Based Evasion Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1498 Network Denial of Service Not Applicable Relevant sub-techniques addressed below
T1498.001 Direct Network Flood No This technique is not addressed by application control.
T1498.002 Reflection Amplification No This technique is not addressed by application control.
T1499 Endpoint Denial of Service Not Applicable Relevant sub-techniques addressed below
T1499.001 OS Exhaustion Flood No This technique is not addressed by application control.
T1499.002 Service Exhaustion Flood No This technique is not addressed by application control.
T1499.003 Application Exhaustion Flood No This technique is not addressed by application control.
T1499.004 Application or System Exploitation No This technique is not addressed by application control.
T1505 Server Software Component Not Applicable Relevant sub-techniques addressed below
T1505.001 SQL Stored Procedures Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1505.002 Transport Agent Yes Custom code used to perform this would be blocked.
T1505.003 Web Shell Limited Whether or not application control could offer any mitigations is dependend on the server implementation.
T1518 Software Discovery Not Applicable Relevant sub-techniques addressed below
T1518.001 Security Software Discovery Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1529 System Shutdown/Reboot Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1531 Account Access Removal No Custom code that performs this technique would be blocked. Otherwise, this technique isn't addressed by application control.
T1534 Internal Spearphishing No This technique is not addressed by application control.
T1539 Steal Web Session Cookie No Custom code that performs this technique would be blocked. Otherwise, this technique isn't addressed by application control.
T1542 Pre-OS Boot Not Applicable Relevant sub-techniques addressed below
T1542.001 System Firmware No This technique is not addressed by application control.
T1542.002 Component Firmware No This technique is not addressed by application control.
T1542.003 Bootkit No This technique is not addressed by application control.
T1543 Create or Modify System Process Not Applicable Relevant sub-techniques addressed below
T1543.003 Windows Service Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1546 Event Triggered Execution Not Applicable Relevant sub-techniques addressed below
T1546.001 Change Default File Association Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1546.002 Screensaver No This technique is not addressed by application control.
T1546.003 Windows Management Instrumentation Event Subscription Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1546.007 Netsh Helper DLL Yes Blocked assuming DLL enforcement
T1546.008 Accessibility Features Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1546.009 AppCert DLLs Yes Blocked assuming DLL enforcement
T1546.010 AppInit DLLs Yes Blocked assuming DLL enforcement
T1546.011 Application Shimming Limited Assuming DLL enforcement, application shims designed to load a DLL would be blocked.
T1546.012 Image File Execution Options Injection Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1546.013 PowerShell Profile Limited Under application control enforcement (assuming Constrained Language mode enforcement), the execution of profiles is restricted but not prevented.
T1546.015 Component Object Model Hijacking Limited Custom code used to perform this would be blocked. Otherwise, attackers can hijack COM registrations, pointing them to approved COM classes to abuse.
T1547 Boot or Logon Autostart Execution Not Applicable Relevant sub-techniques addressed below
T1547.001 Registry Run Keys / Startup Folder No Custom code that performs this technique would be blocked. Otherwise, this technique isn't addressed by application control.
T1547.002 Authentication Package Yes Blocked assuming DLL enforcement
T1547.003 Time Providers Yes Blocked assuming DLL enforcement
T1547.004 Winlogon Helper DLL Yes Blocked assuming DLL enforcement
T1547.005 Security Support Provider Yes Blocked assuming DLL enforcement
T1547.008 LSASS Driver Yes Blocked assuming DLL enforcement
T1547.009 Shortcut Modification No Custom code that performs this technique would be blocked. Otherwise, this technique isn't addressed by application control.
T1547.010 Port Monitors Yes Blocked assuming DLL enforcement
T1547.012 Print Processors Yes Blocked assuming DLL enforcement
T1548 Abuse Elevation Control Mechanism Not Applicable Relevant sub-techniques addressed below
T1548.002 Bypass User Account Control Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1550 Use Alternate Authentication Material Not Applicable Relevant sub-techniques addressed below
T1550.002 Pass the Hash No This technique is not addressed by application control.
T1550.003 Pass the Ticket No This technique is not addressed by application control.
T1552 Unsecured Credentials Not Applicable Relevant sub-techniques addressed below
T1552.001 Credentials In Files No This technique is not addressed by application control.
T1552.002 Credentials in Registry No This technique is not addressed by application control.
T1552.004 Private Keys No This technique is not addressed by application control.
T1552.006 Group Policy Preferences No This technique is not addressed by application control.
T1553 Subvert Trust Controls Not Applicable Relevant sub-techniques addressed below
T1553.002 Code Signing Limited Any executable that is signed using a certificate not explicilty approved would be blocked. Application control cannot prevent the execution of code signed with a stolen certificate where that certificate is approved for execution.
T1553.003 SIP and Trust Provider Hijacking Limited Custom code used to perform this would be blocked. Otherwise, built-in, approved DLLs can be used to subvert trust.
T1553.004 Install Root Certificate No This technique is not addressed by application control.
T1554 Compromise Client Software Binary No It is assumed that these binaries were already approved to execute.
T1555 Credentials from Password Stores Not Applicable Relevant sub-techniques addressed below
T1555.003 Credentials from Web Browsers Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1556 Modify Authentication Process Not Applicable Relevant sub-techniques addressed below
T1556.001 Domain Controller Authentication Yes Custom code used to perform this would be blocked.
T1556.002 Password Filter DLL Yes Blocked assuming DLL enforcement
T1557 Man-in-the-Middle Not Applicable Relevant sub-techniques addressed below
T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay No This technique is not addressed by application control.
T1557.002 ARP Cache Poisoning No This technique is not addressed by application control.
T1558 Steal or Forge Kerberos Tickets Not Applicable Relevant sub-techniques addressed below
T1558.001 Golden Ticket No This technique is not addressed by application control.
T1558.002 Silver Ticket No This technique is not addressed by application control.
T1558.003 Kerberoasting No This technique is not addressed by application control.
T1558.004 AS-REP Roasting No This technique is not addressed by application control.
T1559 Inter-Process Communication Not Applicable Relevant sub-techniques addressed below
T1559.001 Component Object Model Limited Custom code used to perform this would be blocked. Otherwise, built-in COM components can be abused and would need to be blocked accordingly.
T1559.002 Dynamic Data Exchange No This technique is not addressed by application control.
T1560 Archive Collected Data Not Applicable Relevant sub-techniques addressed below
T1560.001 Archive via Utility Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1560.002 Archive via Library Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1560.003 Archive via Custom Method Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1561 Disk Wipe Not Applicable Relevant sub-techniques addressed below
T1561.001 Disk Content Wipe Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1561.002 Disk Structure Wipe Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1562 Impair Defenses Not Applicable Relevant sub-techniques addressed below
T1562.001 Disable or Modify Tools Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1562.002 Disable Windows Event Logging Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1562.003 Impair Command History Logging Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1562.004 Disable or Modify System Firewall Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1562.006 Indicator Blocking Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1563 Remote Service Session Hijacking Not Applicable Relevant sub-techniques addressed below
T1563.002 RDP Hijacking Limited This comprises built-in functionality. tscon.exe could be explicitly blocked if it was resonable to do so.
T1564 Hide Artifacts Not Applicable Relevant sub-techniques addressed below
T1564.001 Hidden Files and Directories No This technique is not addressed by application control.
T1564.003 Hidden Window No This technique is not addressed by application control.
T1564.004 NTFS File Attributes No This technique is not addressed by application control.
T1564.005 Hidden File System No This technique is not addressed by application control.
T1564.006 Run Virtual Instance Limited If virtualization software is not required, it can be blocked in policy.
T1564.007 VBA Stomping No This technique is not addressed by application control.
T1565 Data Manipulation Not Applicable Relevant sub-techniques addressed below
T1565.001 Stored Data Manipulation Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1565.002 Transmitted Data Manipulation No This technique is not addressed by application control.
T1565.003 Runtime Data Manipulation Limited Custom code used to perform this would be blocked.
T1566 Phishing Not Applicable Relevant sub-techniques addressed below
T1566.001 Spearphishing Attachment Limited Attachments within the scope of application control (e.g. PEs, scripts, etc.) would be blocked.
T1566.002 Spearphishing Link No This technique is not addressed by application control.
T1566.003 Spearphishing via Service No This technique is not addressed by application control.
T1567 Exfiltration Over Web Service Not Applicable Relevant sub-techniques addressed below
T1567.001 Exfiltration to Code Repository Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1567.002 Exfiltration to Cloud Storage Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1568 Dynamic Resolution Not Applicable Relevant sub-techniques addressed below
T1568.001 Fast Flux DNS No This technique is not addressed by application control.
T1568.002 Domain Generation Algorithms No This technique is not addressed by application control.
T1568.003 DNS Calculation No This technique is not addressed by application control.
T1569 System Services Not Applicable Relevant sub-techniques addressed below
T1569.002 Service Execution Yes Service executables not approved per policy would be prevented from executing.
T1570 Lateral Tool Transfer Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1571 Non-Standard Port No This technique is not addressed by application control.
T1572 Protocol Tunneling Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1573 Encrypted Channel Not Applicable Relevant sub-techniques addressed below
T1573.001 Symmetric Cryptography No This technique is not addressed by application control.
T1573.002 Asymmetric Cryptography No This technique is not addressed by application control.
T1574 Hijack Execution Flow Not Applicable Relevant sub-techniques addressed below
T1574.001 DLL Search Order Hijacking Yes Blocked assuming DLL enforcement
T1574.002 DLL Side-Loading Yes Blocked assuming DLL enforcement
T1574.005 Executable Installer File Permissions Weakness Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1574.007 Path Interception by PATH Environment Variable Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1574.008 Path Interception by Search Order Hijacking Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1574.009 Path Interception by Unquoted Path Limited Custom code used to perform this would be blocked. Otherwise, built-in utilities can perform this technique.
T1574.010 Services File Permissions Weakness No This technique is not addressed by application control.
T1574.011 Services Registry Permissions Weakness No This technique is not addressed by application control.
T1574.012 COR_PROFILER Yes Blocked assuming DLL enforcement
T1606 Forge Web Credentials Not Applicable Relevant sub-techniques addressed below
T1606.001 Web Cookies No This technique is not addressed by application control.
T1606.002 SAML Tokens No This technique is not addressed by application control.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment