Esc

Platform Hardening

D3-PH

D3-PH (Platform Hardening)

Definition

Hardening components of a Platform with the intention of making them more difficult to exploit.

Platforms includes components such as:

BIOS UEFI Subsystems
Hardware security devices such as Trusted Platform Modules
Boot process logic or code
Kernel software components

Synonyms: System Hardening, Endpoint Hardening.

Artifact Relationships:

This defensive technique is related to specific artifacts. Click the artifact node for more information.

json

Technique Subclasses

There are 13 techniques in this category, Platform Hardening.

Name	ID	Definition	Synonyms
Platform Hardening	D3-PH	Hardening components of a Platform with the intention of making them more difficult to exploit. Platforms includes components such as: * BIOS UEFI Subsystems * Hardware security devices such as Trusted Platform Modules * Boot process logic or code * Kernel software components	System Hardening , and Endpoint Hardening
- Software Update	D3-SU	Replacing old software on a computer system component.
- Hardware-based Write Protection	D3-HBWP	Physical methods of preventing data from being written to computer storage.
- RF Shielding	D3-RFS	Adding physical barriers to a platform to prevent undesired radio interference.
- Physical Enclosure Hardening	D3-PEH	Physical changes to a computer enclosure which reduce the ability for agents or the environment to affect the contained computer system.
- System Configuration Permissions	D3-SCP	Restricting system configuration modifications to a specific user or group of users.
- Radiation Hardening	D3-RH	Radiation hardening is the process of making electronic components and circuits resistant to damage or malfunction caused by high levels of ionizing radiation.
- File Encryption	D3-FE	Encrypting a file using a cryptographic key.
- Disk Encryption	D3-DENCR	Encrypting a hard disk partition to prevent cleartext access to a file system.
- Bootloader Authentication	D3-BA	Cryptographically authenticating the bootloader software before system boot.	Secure Boot
- TPM Boot Integrity	D3-TBI	Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running. Sometimes called Static Root of Trust Measurement (STRM).	STRM , and Static Root of Trust Measurement
- Electromagnetic Radiation Hardening	D3-EMH	The application of physical and material-level design measures to electronic systems, components, or facilities to reduce their susceptibility to damage or disruption from electromagnetic threats.	EM Hardening
- Driver Load Integrity Checking	D3-DLIC	Ensuring the integrity of drivers loaded during initialization of the operating system.

Related ATT&CK Techniques:

These mappings are inferred, experimental, and will improve as the knowledge graph grows.

These offensive techniques are determined related because of the way this defensive technique,, , , and .

Lateral Movement

Software Deployment Tools

Internal Spearphishing

Replication Through Removable Media

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Elevated Execution with Prompt

Sudo and Sudo Caching

Event Triggered Execution

Image File Execution Options Injection

Unix Shell Configuration Modification

Screensaver

Component Object Model Hijacking

AppInit DLLs

Emond

LC_LOAD_DYLIB Addition

Accessibility Features

Process Injection

Thread Execution Hijacking

Portable Executable Injection

Proc Memory

Dynamic-link Library Injection

Create or Modify System Process

Boot or Logon Autostart Execution

Kernel Modules and Extensions

Re-opened Applications

Plist Modification

Shortcut Modification

Registry Run Keys / Startup Folder

LSASS Driver

Hijack Execution Flow

DLL Side-Loading

Dylib Hijacking

COR_PROFILER

Path Interception by Unquoted Path

DLL

Path Interception by PATH Environment Variable

Services File Permissions Weakness

Dynamic Linker Hijacking

Executable Installer File Permissions Weakness

Path Interception by Search Order Hijacking

Scheduled Task/Job

Launchd

Boot or Logon Initialization Scripts

RC Scripts

Network Logon Script

Logon Script (Windows)

Command And Control

Encrypted Channel

Asymmetric Cryptography

Application Layer Protocol

Web Protocols

Communication Through Removable Media

Impact

Data Encrypted for Impact

Data Manipulation

Stored Data Manipulation

Runtime Data Manipulation

Inhibit System Recovery

Collection

Audio Capture

Automated Collection

Video Capture

Data Staged

Local Data Staging

Archive Collected Data

Archive via Custom Method

Archive via Library

Archive via Utility

Data from Removable Media

Data from Local System

Input Capture

Keylogging

Web Portal Capture

Email Collection

Local Email Collection

Discovery

System Network Configuration Discovery

System Location Discovery

System Language Discovery

Remote System Discovery

System Owner/User Discovery

File and Directory Discovery

Query Registry

Cloud Storage Object Discovery

Virtualization/Sandbox Evasion

Time Based Checks

Persistence

Event Triggered Execution

Image File Execution Options Injection

Unix Shell Configuration Modification

Screensaver

Component Object Model Hijacking

AppInit DLLs

Emond

LC_LOAD_DYLIB Addition

Accessibility Features

Create or Modify System Process

Server Software Component

IIS Components

Web Shell

SQL Stored Procedures

Office Application Startup

Office Template Macros

Add-ins

Outlook Forms

Boot or Logon Autostart Execution

Kernel Modules and Extensions

Re-opened Applications

Plist Modification

Shortcut Modification

Registry Run Keys / Startup Folder

LSASS Driver

Hijack Execution Flow

DLL Side-Loading

Dylib Hijacking

COR_PROFILER

Path Interception by Unquoted Path

DLL

Path Interception by PATH Environment Variable

Services File Permissions Weakness

Dynamic Linker Hijacking

Executable Installer File Permissions Weakness

Path Interception by Search Order Hijacking

Modify Authentication Process

Password Filter DLL

Pluggable Authentication Modules

Scheduled Task/Job

Pre-OS Boot

Software Extensions

Boot or Logon Initialization Scripts

RC Scripts

Network Logon Script

Logon Script (Windows)

Compromise Host Software Binary

Modify Registry

Initial Access

Phishing

Spearphishing Attachment

Spearphishing Link

Spearphishing via Service

Supply Chain Compromise

Compromise Software Dependencies and Development Tools

Compromise Hardware Supply Chain

Compromise Software Supply Chain

Replication Through Removable Media

Hardware Additions

Execution

Software Deployment Tools

User Execution

Malicious File

Command and Scripting Interpreter

Scheduled Task/Job

Launchd

Credential Access

Exploitation for Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Shell History

Modify Authentication Process

Password Filter DLL

Pluggable Authentication Modules

OS Credential Dumping

/etc/passwd and /etc/shadow

Proc Filesystem

Forced Authentication

Credentials from Password Stores

Credentials from Web Browsers

Multi-Factor Authentication Interception

Input Capture

Keylogging

Web Portal Capture

Steal or Forge Authentication Certificates

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Elevated Execution with Prompt

Sudo and Sudo Caching

Indicator Removal

Clear Linux or Mac System Logs

File Deletion

Masquerading

Space after Filename

Invalid Code Signature

Rename Legitimate Utilities

Match Legitimate Resource Name or Location

Process Injection

VDSO Hijacking

Thread Execution Hijacking

Portable Executable Injection

Proc Memory

Dynamic-link Library Injection

System Binary Proxy Execution

Mshta

MMC

Rundll32

Obfuscated Files or Information

Compile After Delivery

Hide Artifacts

Trusted Developer Utilities Proxy Execution

MSBuild

Hijack Execution Flow

DLL Side-Loading

Dylib Hijacking

COR_PROFILER

Path Interception by Unquoted Path

DLL

Path Interception by PATH Environment Variable

Services File Permissions Weakness

Dynamic Linker Hijacking

Executable Installer File Permissions Weakness

Path Interception by Search Order Hijacking

Deobfuscate/Decode Files or Information

Modify Authentication Process

Password Filter DLL

Pluggable Authentication Modules

Rogue Domain Controller

Rootkit

Pre-OS Boot

Impair Defenses

Impair Command History Logging

XSL Script Processing

Modify Registry

Virtualization/Sandbox Evasion

Time Based Checks

Exfiltration

Exfiltration Over C2 Channel

Exfiltration Over Physical Medium

Exfiltration over USB

Exfiltration Over Alternative Protocol

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

D3FEND^™

A knowledge graph of cybersecurity countermeasures

1.4.0

−

Harden

Agent Authentication

Biometric Authentication

Certificate-based Authentication

Multi-factor Authentication

Password Authentication

Token-based Authentication

Application Hardening

Application Configuration Hardening

Control Flow Integrity

Dead Code Elimination

Exception Handler Pointer Validation

Pointer Authentication

Process Segment Execution Prevention

Segment Address Offset Randomization

Stack Frame Canary Validation

Strong Password Policy

Change Default Password

Token Binding

Message Hardening

Message Authentication

Bus Message Authentication

Message Encryption

Transfer Agent Authentication

Platform Hardening

Bootloader Authentication

Disk Encryption

Driver Load Integrity Checking

File Encryption

Hardware-based Write Protection

Physical Enclosure Hardening

Radiation Hardening

Electromagnetic Radiation Hardening

RF Shielding

Software Update

System Configuration Permissions

TPM Boot Integrity

Source Code Hardening

Credential Scrubbing

Domain Logic Validation

Operational Logic Validation

Integer Range Validation

Pointer Validation

Memory Block Start Validation

Null Pointer Checking

Reference Nullification

Trusted Library

Variable Initialization

Variable Type Validation

−

Detect

File Analysis

Dynamic Analysis

Emulated File Analysis

File Content Analysis

Identifier Activity Analysis

Identifier Reputation Analysis

Domain Name Reputation Analysis

File Hash Reputation Analysis

IP Reputation Analysis

URL Reputation Analysis

URL Analysis

Message Analysis

Sender MTA Reputation Analysis

Sender Reputation Analysis

Physical Access Monitoring

Electronic Lock Monitoring

Motion Sensor Monitoring

Proximity Sensor Monitoring

Video Surveillance

Process Analysis

Database Query String Analysis

File Access Pattern Analysis

Indirect Branch Call Analysis

Process Code Segment Verification

Process Self-Modification Detection

Process Spawn Analysis

Process Lineage Analysis

Script Execution Analysis

Shadow Stack Comparisons

System Call Analysis

File Creation Analysis

User Behavior Analysis

Authentication Event Thresholding

Authorization Event Thresholding

Credential Compromise Scope Analysis

Domain Account Monitoring

Job Function Access Pattern Analysis

Local Account Monitoring

Resource Access Pattern Analysis

Session Duration Analysis

User Data Transfer Analysis

User Geolocation Logon Pattern Analysis

Web Session Activity Analysis

−

Isolate

Access Mediation

Credential Transmission Scoping

IO Port Restriction

Network Access Mediation

LAN Access Mediation

Routing Access Mediation

Network Resource Access Mediation

Remote File Access Mediation

Web Session Access Mediation

Endpoint-based Web Server Access Mediation

Proxy-based Web Server Access Mediation

Operating Mode Restriction

OT Variable Access Restriction

Physical Access Mediation

Physical Locking

System Call Filtering

Local File Access Mediation

Access Policy Administration

Domain Trust Policy

Local File Permissions

User Account Permissions

User Group Permissions

Content Filtering

Content Modification

Content Excision

Content Format Conversion

File Format Verification

File Content Decompression Checking

File Internal Structure Verification

File Metadata Consistency Validation

File Metadata Value Verification

File Magic Byte Verification

Execution Isolation

Application-based Process Isolation

Executable Allowlisting

Executable Denylisting

Hardware-based Process Isolation

Kernel-based Process Isolation

Network Isolation

Broadcast Domain Isolation

Directional Network Link

DNS Allowlisting

DNS Denylisting

Forward Resolution Domain Denylisting

Hierarchical Domain Denylisting

Homoglyph Denylisting

Forward Resolution IP Denylisting

Reverse Resolution IP Denylisting

Encrypted Tunnels

Network Traffic Filtering

Inbound Traffic Filtering

Email Filtering

Outbound Traffic Filtering

−

Decoy Network Resource

Decoy Persona

Decoy Public Release

Decoy Session Token

Decoy User Credential

−

Restore

Restore Access

Reissue Credential

Restore Network Access

Restore User Account Access

Unlock Account

Restore Object

Restore Configuration

Platform Hardening

Definition

Artifact Relationships:

Technique Subclasses

Related ATT&CK Techniques:

D3FEND™

D3FEND^™