Limit Software Installation
Prevent users or groups from installing unauthorized or unapproved software to reduce the risk of introducing malicious or vulnerable applications. This can be achieved through allowlists, software restriction policies, endpoint management tools, and least privilege access principles. This mitigation can be implemented through the following measures:
Application Whitelisting
- Implement Microsoft AppLocker or Windows Defender Application Control (WDAC) to create and enforce allowlists for approved software.
- Whitelist applications based on file hash, path, or digital signatures.
Restrict User Permissions
- Remove local administrator rights for all non-IT users.
- Use Role-Based Access Control (RBAC) to restrict installation permissions to privileged accounts only.
Software Restriction Policies (SRP)
- Use GPO to configure SRP to deny execution of binaries from directories such as
%AppData%,%Temp%, and external drives. - Restrict specific file types (
.exe,.bat,.msi,.js,.vbs) to trusted directories only.
Endpoint Management Solutions
- Deploy tools like Microsoft Intune, SCCM, or Jamf for centralized software management.
- Maintain a list of approved software, versions, and updates across the enterprise.
Monitor Software Installation Events
- Enable logging of software installation events and monitor Windows Event ID 4688 and Event ID 11707 for software installs.
- Use SIEM or EDR tools to alert on attempts to install unapproved software.
Implement Software Inventory Management
- Use tools like OSQuery or Wazuh to scan for unauthorized software on endpoints and servers.
- Conduct regular audits to detect and remove unapproved software.
Tools for Implementation
Application Whitelisting:
- Microsoft AppLocker
- Windows Defender Application Control (WDAC)
Endpoint Management:
- Microsoft Intune
- SCCM (System Center Configuration Manager)
- Jamf Pro (macOS)
- Puppet or Ansible for automation
Software Restriction Policies:
- Group Policy Object (GPO)
- Microsoft Software Restriction Policies (SRP)
Monitoring and Logging:
- Splunk
- OSQuery
- Wazuh (open-source SIEM and XDR)
- EDRs
Inventory Management and Auditing:
- OSQuery
- Wazuh
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .013 | Boot or Logon Autostart Execution: XDG Autostart Entries |
Restrict software installation to trusted repositories only and be cautious of orphaned software packages. |
| Enterprise | T1059 | Command and Scripting Interpreter |
Prevent user installation of unrequired command and scripting interpreters. |
|
| .006 | Python |
Prevent users from installing Python where not required. |
||
| .011 | Lua |
Prevent users from installing Lua where not required. |
||
| Enterprise | T1543 | Create or Modify System Process |
Restrict software installation to trusted repositories only and be cautious of orphaned software packages. |
|
| .002 | Systemd Service |
Restrict software installation to trusted repositories only and be cautious of orphaned software packages. |
||
| Enterprise | T1564 | Hide Artifacts |
Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it. |
|
| .003 | Hidden Window |
Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it. |
||
| Enterprise | T1021 | .005 | Remote Services: VNC |
Restrict software installation to user groups that require it. A VNC server must be manually installed by the user or adversary. |
| Enterprise | T1072 | Software Deployment Tools |
Restrict the use of third-party software suites installed within an enterprise network. |
|
| Enterprise | T1176 | Software Extensions |
Only install extensions from trusted sources that can be verified. |
|
| .001 | Browser Extensions |
Only install browser extensions from trusted sources that can be verified. Browser extensions for some browsers can be controlled through Group Policy. Change settings to prevent the browser from installing extensions without sufficient permissions. |
||
| .002 | IDE Extensions |
Only install IDE extensions from trusted sources that can be verified. |
||
| Enterprise | T1195 | Supply Chain Compromise |
Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones.[1] |
|
| .001 | Compromise Software Dependencies and Development Tools |
Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones.[1] |
||