1. Add ATT&CK Techniquesnot completed
  2. Add Additional Countermeasuresnot completed
  3. Review Playbooknot completed

Step 2 of 3 Add Additional Countermeasures

Add Additional Countermeasures

Add Countermeasures, (in addition to those provided by Technique mappings), to your Playbook

Search for Countermeasures

152 Countermeasures

Disable Server Message Block (SMB) Protocol (CM0001)

More Info

In Playbook

Enable Email Attachment Filtering and Message Authentication (CM0002)

More Info

In Playbook

Configure File and Directory Permissions (CM0003)

More Info

In Playbook

Enable Windows Defender Exploit Guard (WDEG) Attack Surface Reduction (ASR) Rules (CM0004)

More Info

In Playbook

Monitor or Block Microsoft HTML Application (MSHTA) Utility or Restrict HTML Application (HTA) Network Access (CM0005)

More Info

In Playbook

Disable and Monitor Regasm.exe and Regsvcs.exe Utilities (CM0006)

More Info

In Playbook

Disable and Monitor Verclsid.exe System Binary (CM0007)

More Info

In Playbook

Block or Monitor Mavinject.exe Utility (CM0008)

More Info

In Playbook

Update Domain Name Service (DNS) Deny List (CM0009)

More Info

In Playbook

Enable Internet Protocol (IP) Address Allowlists (CM0010)

More Info

In Playbook

Enable Domain Name System (DNS) Sinkhole (CM0011)

More Info

In Playbook

Disable or Restrict Distributed Component Object Model (DCOM) Protocol (CM0012)

More Info

In Playbook

Block Windows Management Instrumentation (WMI) Service (CM0013)

More Info

In Playbook

Disable Cisco Smart Install Feature (CM0014)

More Info

In Playbook

Block Default Screensaver Programs and Monitor SCR Executable Files (CM0015)

More Info

In Playbook

Remove Suspicious Property List (PLIST) Files (CM0016)

More Info

In Playbook

Enable Port Filtering on Host-based Firewalls (CM0017)

More Info

In Playbook

Enable Active Directory (AD) Protected Users Security Group (CM0018)

More Info

In Playbook

Disable or Restrict Windows Remote Management (WinRM) Protocol (CM0019)

More Info

In Playbook

Disable Virtual Network Computing (VNC) Desktop-sharing System (CM0020)

More Info

In Playbook

Enable Behavioral and Heuristic-based Malware Detection (CM0021)

More Info

In Playbook

Quarantine Suspicious Files (CM0022)

More Info

In Playbook

Identify and Terminate Suspicious Processes (CM0023)

More Info

In Playbook

Disconnect Internet-facing Boundary Controllers (CM0024)

More Info

In Playbook

Disable Remote Desktop Protocol (RDP) (CM0025)

More Info

In Playbook

Reboot Servers (CM0026)

More Info

In Playbook

Rebuild Compromised Host (CM0027)

More Info

In Playbook

Reset Service Account Passwords (CM0028)

More Info

In Playbook

Reset NT Hashes for Smart Card-enabled Accounts (CM0029)

More Info

In Playbook

Remove Known Malware (CM0030)

More Info

In Playbook

Monitor PowerShell Program (CM0031)

More Info

In Playbook

Revoke and Regenerate SSH Keys (CM0032)

More Info

In Playbook

Reset User Account Passwords (CM0033)

More Info

In Playbook

Identify and Block Suspicious Hosts (CM0034)

More Info

In Playbook

Configure Uniform Resource Locator (URL) Filtering (CM0035)

More Info

In Playbook

Identify and Monitor Remote Access Tools (CM0036)

More Info

In Playbook

Enable Geolocation-based Traffic Filtering (CM0037)

More Info

In Playbook

Remove Windows Management Instrumentation (WMI) Event Subscription (CM0038)

More Info

In Playbook

Monitor Windows Management Instrumentation (WMI) Events (CM0039)

More Info

In Playbook

Clear Workstation and Server Domain Name Server (DNS) Caches (CM0040)

More Info

In Playbook

Disable Service Account Interactive Login (CM0041)

More Info

In Playbook

Restrict Remote Desktop Protocol (RDP) (CM0042)

More Info

In Playbook

Monitor Permissions for User, Service, and Administrator Accounts (CM0043)

More Info

In Playbook

Monitor Account Creation and Permission Changes (CM0044)

More Info

In Playbook

Disable or Monitor Execution of WMIC.exe (CM0045)

More Info

In Playbook

Block Execution of Compiled HTML (CHM) Files (CM0046)

More Info

In Playbook

Block High-risk File Types at Web Gateway (CM0047)

More Info

In Playbook

Disable Hyper-V (CM0048)

More Info

In Playbook

Disable or Monitor Executables with SUID and SGID Bits Set (CM0049)

More Info

In Playbook

Reset Kerberos Ticket Granting Ticket (KRBTGT) Password Twice (CM0050)

More Info

In Playbook

Disable Bluetooth (CM0051)

More Info

In Playbook

Disable NetBIOS Service (CM0052)

More Info

In Playbook

Disable Link-Local Multicast Name Resolution (LLMNR) Service (CM0053)

More Info

In Playbook

Block or Restrict Removable Media (CM0054)

More Info

In Playbook

Implement SPF, DKIM, and DMARC Email Authentication Methods (CM0055)

More Info

In Playbook

Disable Visual Basic for Applications (VBA) Macros (CM0056)

More Info

In Playbook

Verify Signing of AppleScripts (CM0057)

More Info

In Playbook

Detect and Block Execution of Vulnerable Drivers (CM0058)

More Info

In Playbook

Configure Tactical Privileged Access Workstation (CM0059)

More Info

In Playbook

Restrict and Monitor Domain Accounts with Local Administrator Access to Workstations (CM0060)

More Info

In Playbook

Rotate Mailbox Passwords (CM0061)

More Info

In Playbook

Monitor or Block Server Message Block (SMB) Protocol (CM0062)

More Info

In Playbook

Investigate Suspicious Login Attempts (CM0063)

More Info

In Playbook

Investigate Account Manipulation (CM0064)

More Info

In Playbook

Isolate Endpoints from Network (CM0065)

More Info

In Playbook

Update Firmware (CM0066)

More Info

In Playbook

Install Critical Software Security Updates (CM0067)

More Info

In Playbook

Audit and Restrict Exchange ApplicationImpersonation Role (CM0068)

More Info

In Playbook

Reset Directory Services Restore Mode (DSRM) Account Passwords on Domain Controllers (CM0069)

More Info

In Playbook

Reset Domain Controller (DC) Machine Account Password (CM0070)

More Info

In Playbook

Unenroll Suspicious Multifactor Authentication (MFA) Device from Microsoft User Account (CM0071)

More Info

In Playbook

Disable Credential Caching (CM0072)

More Info

In Playbook

Rotate Active Directory Federation Services (AD FS) Certificates (CM0073)

More Info

In Playbook

Audit and Restrict Mailbox Permissions (CM0074)

More Info

In Playbook

Implement Access Restrictions on Cloud Storage Objects (CM0075)

More Info

In Playbook

Remove Adversary Certificates and Rotate Secrets for Applications and Service Principals (CM0076)

More Info

In Playbook

Revoke Microsoft 365 Refresh Tokens (CM0077)

More Info

In Playbook

Disable or Monitor Windows Script Host (WSH) Administration Tool (CM0078)

More Info

In Playbook

Reset Active Directory Services (AD DS) Connector Account Password (CM0079)

More Info

In Playbook

Block and Reissue Tokens (CM0080)

More Info

In Playbook

Rebuild Citrix NetScaler Appliances (CM0081)

More Info

In Playbook

Identify and Remove Suspicious Email Forwarding Rules (CM0082)

More Info

In Playbook

Rotate Application Programming Interface (API) Keys (CM0083)

More Info

In Playbook

Restrict Accounts with Privileged Active Directory (AD) Access from Logging into Endpoints (CM0084)

More Info

In Playbook

Audit Group Policy Objects (GPOs) in Active Directory (AD) (CM0085)

More Info

In Playbook

Reboot Workstations (CM0086)

More Info

In Playbook

Disable Credential Caching in the WDigest Authentication Protocol (CM0087)

More Info

In Playbook

Enable Credential Guard (CM0088)

More Info

In Playbook

Enable Local Security Authority (LSA) Protections (CM0089)

More Info

In Playbook

Detect Attempts to Access Local Security Authority Subsystem Service (LSASS) Process (CM0090)

More Info

In Playbook

Prevent and Detect System Binary Proxy Execution (CM0091)

More Info

In Playbook

Reset Entra Seamless Sign-on Account Password (CM0092)

More Info

In Playbook

Prevent and Detect Network Traffic to/from The Onion Router (Tor) Exit Nodes (CM0093)

More Info

In Playbook

Restrict Domain Admin User Rights and Monitor Protected Users on Workstations (CM0094)

More Info

In Playbook

Detect Attempts to Modify or Disable Defender from the Command Line (CM0095)

More Info

In Playbook

Prevent and Detect Attempts to Copy NT Directory Services Database Information Table (NTDS.dit) (CM0096)

More Info

In Playbook

Detect Attempts to Delete Shadow Copies (CM0097)

More Info

In Playbook

Enable Extended Protection for Authentication (EPA) (CM0098)

More Info

In Playbook

Remove/Rotate Kubernetes Service Account Token (CM0099)

More Info

In Playbook

Restrict and Monitor Remote Procedure Calls (RPC) (CM0100)

More Info

In Playbook

Block Applications in Writable Locations using AppLocker (CM0101)

More Info

In Playbook

Remove Cached Domain Credentials From Workstation (CM0102)

More Info

In Playbook

Deny Logon as a Batch Job (CM0103)

More Info

In Playbook

Enable Interactive Logon and Require Smart Card Policy for Privileged User Accounts (CM0104)

More Info

In Playbook

Remove Malicious Enterprise Applications and Service Account Principals (CM0105)

More Info

In Playbook

Eliminate Web Shells (CM0106)

More Info

In Playbook

Restore SYSVOL Content in AD Domains (CM0107)

More Info

In Playbook

Detect Rogue Virtual Machines (CM0108)

More Info

In Playbook

Audit and Restrict Cron Daemon (CM0109)

More Info

In Playbook

Detect Anti-Malware Scan Interface (AMSI) Bypass Attempts (CM0110)

More Info

In Playbook

Enable Multiple Administrative Approval (MAA) for Access Policies (CM0111)

More Info

In Playbook

Remove Extraneous and Stale Accounts (CM0112)

More Info

In Playbook

Disable Microsoft Office Add-ins (CM0113)

More Info

In Playbook

Enable Microsoft Conditional Access Policy Templates (CM0114)

More Info

In Playbook

Block Untrusted and Unsigned Processes that Run from USB (CM0115)

More Info

In Playbook

Restrict Visual Basic for Applications (VBA) Macros (CM0116)

More Info

In Playbook

Disable or Monitor Connection Manager Profile Installer (CMSTP.exe) (CM0117)

More Info

In Playbook

Revoke Existing Administrator Permissions and Deploy New Administrator Accounts (CM0118)

More Info

In Playbook

Disable Autoplay (CM0119)

More Info

In Playbook

Remove Cron Job (CM0120)

More Info

In Playbook

Enable Managed Domain Authentication (CM0121)

More Info

In Playbook

Restrict SYSVOL Credential Theft (CM0122)

More Info

In Playbook

Remove Malicious Domain Trust from Tenant (CM0123)

More Info

In Playbook

Disable On-Premise Active Directory (AD) Accounts with Privileged Roles in Entra ID (CM0124)

More Info

In Playbook

Reset and Monitor adminCount Attribute (CM0125)

More Info

In Playbook

Reset Credentials for Local Administrator Accounts Twice (CM0126)

More Info

In Playbook

Disable Microsoft XML Core Services (MSXSL.exe) (CM0127)

More Info

In Playbook

Reset Credentials for Global and Domain Administrator Accounts Twice (CM0128)

More Info

In Playbook

Eliminate Hidden Registry Keys (CM0129)

More Info

In Playbook

Disable or Restrict Microsoft Build Engine (MSBuild.exe) (CM0130)

More Info

In Playbook

Disable or Restrict Microsoft Management Console (MMC.exe) (CM0131)

More Info

In Playbook

Disable or Restrict InstallUtil (CM0132)

More Info

In Playbook

Reset Access Control Lists to Default Values (CM0133)

More Info

In Playbook

Audit Federated Systems Trust Settings (CM0134)

More Info

In Playbook

Rebuild Group Managed Service Accounts (gMSA) (CM0135)

More Info

In Playbook

Configure and Invalidate Relative ID (RID) Pools (CM0136)

More Info

In Playbook

Remove Global Catalog from Domain Controller (CM0137)

More Info

In Playbook

Audit and Remove Malicious Udev Rules (CM0138)

More Info

In Playbook

Rebuild Active Directory (AD) Connect Server (CM0139)

More Info

In Playbook

Configure Windows Audit Policy (CM0140)

More Info

In Playbook

Audit and Restrict PsExec (CM0141)

More Info

In Playbook

Enable LDAP Signing and Channel Binding (CM0142)

More Info

In Playbook

Audit and Configure PI Web API (CM0143)

More Info

In Playbook

Audit SYSVOL for Vulnerable Group Policy Preferences (CM0144)

More Info

In Playbook

Reset Interdomain Trust Account (ITA) Credentials (CM0145)

More Info

In Playbook

Configure Flexible Single Master Operations (FSMO) Roles (CM0146)

More Info

In Playbook

Remove Suspicious Scheduled Tasks (CM0147)

More Info

In Playbook

Disable Cisco Open NX-OS Guest Shell (CM0148)

More Info

In Playbook

Temporarily Disable Cisco Open NX-OS Guest Shell (CM0149)

More Info

In Playbook

Implement Complex Password Policy for Cisco Devices (CM0153)

More Info

In Playbook

Audit and Restrict Cisco CLI Privileges (CM0156)

More Info

In Playbook

Disable Unauthorized Open Ports (CM0157)

More Info

In Playbook

    Playbook Cart


    0 Techniques + Mappings
    0 Additional Countermeasures