Esc

Application Hardening

D3-AH (Application Hardening)

Definition

Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.

Synonyms: Process Hardening.

Technique Overview

Exploits may, for example, rely on knowledge of addresses in a process's memory, they may alter memory contents, and they may cause a program to use instructions in a way that they were not intended. By, for example, including code that dynamically changes the memory address of data or code on each run, introducing logic to validating the memory contents before certain potentially dangerous flows are executed, or monitoring a program for unusual sequence of instructions, this makes it harder for an attacker to craft a working exploit.

Artifact Relationships:

This defensive technique is related to specific artifacts. Click the artifact node for more information.

Technique Subclasses

There are 10 techniques in this category, Application Hardening.

Name	ID	Definition	Synonyms
Application Hardening	D3-AH	Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.	Process Hardening
- Dead Code Elimination	D3-DCE	Removing unreachable or "dead code" from compiled source code.
- Disable Remote Access	D3-DRA	Limiting access to a computing device which is not required through or from a non-organization-controlled network.
- Process Segment Execution Prevention	D3-PSEP	Preventing execution of any address in a memory region other than the code segment.	Execute Disable , and No Execute
- Segment Address Offset Randomization	D3-SAOR	Randomizing the base (start) address of one or more segments of memory during the initialization of a process.	ASLR , and Address Space Layout Randomization
- Stack Frame Canary Validation	D3-SFCV	Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite.
- Control Flow Integrity	D3-CFI	Enforcing legal control flow transfers during application process execution.
- Application Configuration Hardening	D3-ACH	Modifying an application's configuration to reduce its attack surface.
- Pointer Authentication	D3-PAN	Comparing the cryptographic hash or derivative of a pointer's value to an expected value.
- Exception Handler Pointer Validation	D3-EHPV	Validates that a referenced exception handler pointer is a valid exception handler.	Exception Handler Validation

Related ATT&CK Techniques:

These mappings are inferred, experimental, and will improve as the knowledge graph grows.

These offensive techniques are determined related because of the way this defensive technique,, , , and .

Lateral Movement

Exploitation of Remote Services

Privilege Escalation

Exploitation for Privilege Escalation

Process Injection

Process Hollowing

Collection

Input Capture

Credential API Hooking

Email Collection

Email Forwarding Rule

Discovery

System Owner/User Discovery

Initial Access

Exploit Public-Facing Application

Drive-by Compromise

Execution

Exploitation for Client Execution

Credential Access

Exploitation for Credential Access

Input Capture

Credential API Hooking

Defense Evasion

System Binary Proxy Execution

Exploitation for Defense Evasion

Impair Defenses

Impair Command History Logging

Disable Windows Event Logging

Hide Artifacts

Email Hiding Rules

Reflective Code Loading

Process Injection

Process Hollowing

D3FEND^™

A knowledge graph of cybersecurity countermeasures

−

Agent Authentication

Biometric Authentication

Certificate-based Authentication

Multi-factor Authentication

Password Authentication

Token-based Authentication

Application Hardening

Application Configuration Hardening

Control Flow Integrity

Dead Code Elimination

Exception Handler Pointer Validation

Pointer Authentication

Process Segment Execution Prevention

Segment Address Offset Randomization

Stack Frame Canary Validation

Credential Hardening

Certificate Pinning

Credential Rotation

Certificate Rotation

Password Rotation

One-time Password

Strong Password Policy

Change Default Password

Message Hardening

Message Authentication

Bus Message Authentication

Message Encryption

Transfer Agent Authentication

Platform Hardening

Bootloader Authentication

Disk Encryption

Driver Load Integrity Checking

File Encryption

Hardware-based Write Protection

Physical Enclosure Hardening

Radiation Hardening

Electromagnetic Radiation Hardening

Software Update

System Configuration Permissions

TPM Boot Integrity

Source Code Hardening

Credential Scrubbing

Domain Logic Validation

Operational Logic Validation

Integer Range Validation

Pointer Validation

Memory Block Start Validation

Null Pointer Checking

Reference Nullification

Trusted Library

Variable Initialization

Variable Type Validation

−

Dynamic Analysis

Emulated File Analysis

File Content Analysis

File Content Rules

Identifier Analysis

Homoglyph Detection

Identifier Activity Analysis

Identifier Reputation Analysis

Domain Name Reputation Analysis

File Hash Reputation Analysis

IP Reputation Analysis

URL Reputation Analysis

Message Analysis

Sender MTA Reputation Analysis

Sender Reputation Analysis

Physical Access Monitoring

Electronic Lock Monitoring

Motion Sensor Monitoring

Proximity Sensor Monitoring

Video Surveillance

Process Analysis

Database Query String Analysis

File Access Pattern Analysis

Indirect Branch Call Analysis

Process Code Segment Verification

Process Self-Modification Detection

Process Spawn Analysis

Process Lineage Analysis

Script Execution Analysis

Shadow Stack Comparisons

System Call Analysis

File Creation Analysis

User Behavior Analysis

Authentication Event Thresholding

Authorization Event Thresholding

Credential Compromise Scope Analysis

Domain Account Monitoring

Job Function Access Pattern Analysis

Local Account Monitoring

Resource Access Pattern Analysis

Session Duration Analysis

User Data Transfer Analysis

User Geolocation Logon Pattern Analysis

Web Session Activity Analysis

−

Access Mediation

Credential Transmission Scoping

IO Port Restriction

Network Access Mediation

LAN Access Mediation

Routing Access Mediation

Network Resource Access Mediation

Remote File Access Mediation

Web Session Access Mediation

Endpoint-based Web Server Access Mediation

Proxy-based Web Server Access Mediation

Operating Mode Restriction

OT Variable Access Restriction

Physical Access Mediation

Physical Locking

System Call Filtering

Local File Access Mediation

Access Policy Administration

Domain Trust Policy

Local File Permissions

User Account Permissions

User Group Permissions

Content Filtering

Content Modification

Content Excision

Content Format Conversion

Content Rebuild

Content Substitution

Content Quarantine

Content Validation

File Format Verification

File Content Decompression Checking

File Internal Structure Verification

File Metadata Consistency Validation

File Metadata Value Verification

File Magic Byte Verification

Execution Isolation

Application-based Process Isolation

Executable Allowlisting

Executable Denylisting

Hardware-based Process Isolation

Kernel-based Process Isolation

Network Isolation

Broadcast Domain Isolation

Directional Network Link

DNS Allowlisting

DNS Denylisting

Forward Resolution Domain Denylisting

Hierarchical Domain Denylisting

Homoglyph Denylisting

Forward Resolution IP Denylisting

Reverse Resolution IP Denylisting

Encrypted Tunnels

Network Traffic Filtering

Inbound Traffic Filtering

Email Filtering

Outbound Traffic Filtering

−

Decoy Environment

Connected Honeynet

Integrated Honeynet

Standalone Honeynet

Decoy Network Resource

Decoy Public Release

Decoy Session Token

Decoy User Credential

−

Reissue Credential

Restore Network Access

Restore User Account Access

Restore Configuration

Restore Database

Restore Disk Image

Restore Software