- Add ATT&CK Techniquesnot completed
- Add Additional Countermeasuresnot completed
- Review Playbooknot completed
Step 2 of 3 Add Additional Countermeasures
Add Additional Countermeasures
Add Countermeasures, (in addition to those provided by Technique mappings), to your Playbook
Search for Countermeasures
152
Countermeasures
Disable Server Message Block (SMB) Protocol (CM0001)
Enable Email Attachment Filtering and Message Authentication (CM0002)
Configure File and Directory Permissions (CM0003)
Enable Windows Defender Exploit Guard (WDEG) Attack Surface Reduction (ASR) Rules (CM0004)
Monitor or Block Microsoft HTML Application (MSHTA) Utility or Restrict HTML Application (HTA) Network Access (CM0005)
Disable and Monitor Regasm.exe and Regsvcs.exe Utilities (CM0006)
Disable and Monitor Verclsid.exe System Binary (CM0007)
Block or Monitor Mavinject.exe Utility (CM0008)
Update Domain Name Service (DNS) Deny List (CM0009)
Enable Internet Protocol (IP) Address Allowlists (CM0010)
Enable Domain Name System (DNS) Sinkhole (CM0011)
Disable or Restrict Distributed Component Object Model (DCOM) Protocol (CM0012)
Block Windows Management Instrumentation (WMI) Service (CM0013)
Disable Cisco Smart Install Feature (CM0014)
Block Default Screensaver Programs and Monitor SCR Executable Files (CM0015)
Remove Suspicious Property List (PLIST) Files (CM0016)
Enable Port Filtering on Host-based Firewalls (CM0017)
Enable Active Directory (AD) Protected Users Security Group (CM0018)
Disable or Restrict Windows Remote Management (WinRM) Protocol (CM0019)
Disable Virtual Network Computing (VNC) Desktop-sharing System (CM0020)
Enable Behavioral and Heuristic-based Malware Detection (CM0021)
Quarantine Suspicious Files (CM0022)
Identify and Terminate Suspicious Processes (CM0023)
Disconnect Internet-facing Boundary Controllers (CM0024)
Disable Remote Desktop Protocol (RDP) (CM0025)
Reboot Servers (CM0026)
Rebuild Compromised Host (CM0027)
Reset Service Account Passwords (CM0028)
Reset NT Hashes for Smart Card-enabled Accounts (CM0029)
Remove Known Malware (CM0030)
Monitor PowerShell Program (CM0031)
Revoke and Regenerate SSH Keys (CM0032)
Reset User Account Passwords (CM0033)
Identify and Block Suspicious Hosts (CM0034)
Configure Uniform Resource Locator (URL) Filtering (CM0035)
Identify and Monitor Remote Access Tools (CM0036)
Enable Geolocation-based Traffic Filtering (CM0037)
Remove Windows Management Instrumentation (WMI) Event Subscription (CM0038)
Monitor Windows Management Instrumentation (WMI) Events (CM0039)
Clear Workstation and Server Domain Name Server (DNS) Caches (CM0040)
Disable Service Account Interactive Login (CM0041)
Restrict Remote Desktop Protocol (RDP) (CM0042)
Monitor Permissions for User, Service, and Administrator Accounts (CM0043)
Monitor Account Creation and Permission Changes (CM0044)
Disable or Monitor Execution of WMIC.exe (CM0045)
Block Execution of Compiled HTML (CHM) Files (CM0046)
Block High-risk File Types at Web Gateway (CM0047)
Disable Hyper-V (CM0048)
Disable or Monitor Executables with SUID and SGID Bits Set (CM0049)
Reset Kerberos Ticket Granting Ticket (KRBTGT) Password Twice (CM0050)
Disable Bluetooth (CM0051)
Disable NetBIOS Service (CM0052)
Disable Link-Local Multicast Name Resolution (LLMNR) Service (CM0053)
Block or Restrict Removable Media (CM0054)
Implement SPF, DKIM, and DMARC Email Authentication Methods (CM0055)
Disable Visual Basic for Applications (VBA) Macros (CM0056)
Verify Signing of AppleScripts (CM0057)
Detect and Block Execution of Vulnerable Drivers (CM0058)
Configure Tactical Privileged Access Workstation (CM0059)
Restrict and Monitor Domain Accounts with Local Administrator Access to Workstations (CM0060)
Rotate Mailbox Passwords (CM0061)
Monitor or Block Server Message Block (SMB) Protocol (CM0062)
Investigate Suspicious Login Attempts (CM0063)
Investigate Account Manipulation (CM0064)
Isolate Endpoints from Network (CM0065)
Update Firmware (CM0066)
Install Critical Software Security Updates (CM0067)
Audit and Restrict Exchange ApplicationImpersonation Role (CM0068)
Reset Directory Services Restore Mode (DSRM) Account Passwords on Domain Controllers (CM0069)
Reset Domain Controller (DC) Machine Account Password (CM0070)
Unenroll Suspicious Multifactor Authentication (MFA) Device from Microsoft User Account (CM0071)
Disable Credential Caching (CM0072)
Rotate Active Directory Federation Services (AD FS) Certificates (CM0073)
Audit and Restrict Mailbox Permissions (CM0074)
Implement Access Restrictions on Cloud Storage Objects (CM0075)
Remove Adversary Certificates and Rotate Secrets for Applications and Service Principals (CM0076)
Revoke Microsoft 365 Refresh Tokens (CM0077)
Disable or Monitor Windows Script Host (WSH) Administration Tool (CM0078)
Reset Active Directory Services (AD DS) Connector Account Password (CM0079)
Block and Reissue Tokens (CM0080)
Rebuild Citrix NetScaler Appliances (CM0081)
Identify and Remove Suspicious Email Forwarding Rules (CM0082)
Rotate Application Programming Interface (API) Keys (CM0083)
Restrict Accounts with Privileged Active Directory (AD) Access from Logging into Endpoints (CM0084)
Audit Group Policy Objects (GPOs) in Active Directory (AD) (CM0085)
Reboot Workstations (CM0086)
Disable Credential Caching in the WDigest Authentication Protocol (CM0087)
Enable Credential Guard (CM0088)
Enable Local Security Authority (LSA) Protections (CM0089)
Detect Attempts to Access Local Security Authority Subsystem Service (LSASS) Process (CM0090)
Prevent and Detect System Binary Proxy Execution (CM0091)
Reset Entra Seamless Sign-on Account Password (CM0092)
Prevent and Detect Network Traffic to/from The Onion Router (Tor) Exit Nodes (CM0093)
Restrict Domain Admin User Rights and Monitor Protected Users on Workstations (CM0094)
Detect Attempts to Modify or Disable Defender from the Command Line (CM0095)
Prevent and Detect Attempts to Copy NT Directory Services Database Information Table (NTDS.dit) (CM0096)
Detect Attempts to Delete Shadow Copies (CM0097)
Enable Extended Protection for Authentication (EPA) (CM0098)
Remove/Rotate Kubernetes Service Account Token (CM0099)
Restrict and Monitor Remote Procedure Calls (RPC) (CM0100)
Block Applications in Writable Locations using AppLocker (CM0101)
Remove Cached Domain Credentials From Workstation (CM0102)
Deny Logon as a Batch Job (CM0103)
Enable Interactive Logon and Require Smart Card Policy for Privileged User Accounts (CM0104)
Remove Malicious Enterprise Applications and Service Account Principals (CM0105)
Eliminate Web Shells (CM0106)
Restore SYSVOL Content in AD Domains (CM0107)
Detect Rogue Virtual Machines (CM0108)
Audit and Restrict Cron Daemon (CM0109)
Detect Anti-Malware Scan Interface (AMSI) Bypass Attempts (CM0110)
Enable Multiple Administrative Approval (MAA) for Access Policies (CM0111)
Remove Extraneous and Stale Accounts (CM0112)
Disable Microsoft Office Add-ins (CM0113)
Enable Microsoft Conditional Access Policy Templates (CM0114)
Block Untrusted and Unsigned Processes that Run from USB (CM0115)
Restrict Visual Basic for Applications (VBA) Macros (CM0116)
Disable or Monitor Connection Manager Profile Installer (CMSTP.exe) (CM0117)
Revoke Existing Administrator Permissions and Deploy New Administrator Accounts (CM0118)
Disable Autoplay (CM0119)
Remove Cron Job (CM0120)
Enable Managed Domain Authentication (CM0121)
Restrict SYSVOL Credential Theft (CM0122)
Remove Malicious Domain Trust from Tenant (CM0123)
Disable On-Premise Active Directory (AD) Accounts with Privileged Roles in Entra ID (CM0124)
Reset and Monitor adminCount Attribute (CM0125)
Reset Credentials for Local Administrator Accounts Twice (CM0126)
Disable Microsoft XML Core Services (MSXSL.exe) (CM0127)
Reset Credentials for Global and Domain Administrator Accounts Twice (CM0128)
Eliminate Hidden Registry Keys (CM0129)
Disable or Restrict Microsoft Build Engine (MSBuild.exe) (CM0130)
Disable or Restrict Microsoft Management Console (MMC.exe) (CM0131)
Disable or Restrict InstallUtil (CM0132)
Reset Access Control Lists to Default Values (CM0133)
Audit Federated Systems Trust Settings (CM0134)
Rebuild Group Managed Service Accounts (gMSA) (CM0135)
Configure and Invalidate Relative ID (RID) Pools (CM0136)
Remove Global Catalog from Domain Controller (CM0137)
Audit and Remove Malicious Udev Rules (CM0138)
Rebuild Active Directory (AD) Connect Server (CM0139)
Configure Windows Audit Policy (CM0140)
Audit and Restrict PsExec (CM0141)
Enable LDAP Signing and Channel Binding (CM0142)
Audit and Configure PI Web API (CM0143)
Audit SYSVOL for Vulnerable Group Policy Preferences (CM0144)
Reset Interdomain Trust Account (ITA) Credentials (CM0145)
Configure Flexible Single Master Operations (FSMO) Roles (CM0146)
Remove Suspicious Scheduled Tasks (CM0147)
Disable Cisco Open NX-OS Guest Shell (CM0148)
Temporarily Disable Cisco Open NX-OS Guest Shell (CM0149)
Implement Complex Password Policy for Cisco Devices (CM0153)
Audit and Restrict Cisco CLI Privileges (CM0156)
Disable Unauthorized Open Ports (CM0157)
Playbook Cart
0
Techniques + Mappings
0
Additional Countermeasures