M0942: Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Analyst context for executives and security teams
This ICS mitigation is about reducing the attack surface: remove or block access to software, services, command interfaces, scripting capability, and other features that are not needed for operations. Its business value is practical resilience—fewer exposed functions means fewer ways for an adversary to gain access, move through the control environment, execute commands, or disrupt devices.
Executive priority
Prioritize this as a governance and resilience control for ICS environments. Leaders should ask whether the organization has evidence of what software and features are actually required, who approved exceptions, and whether remote access, command-line, scripting, removable media, and service exposure are minimized. This also supports compliance evidence for least functionality/configuration management expectations referenced by IEC 62443 SR/CR 7.7 and NIST SP 800-53 Rev. 5 CM-7.
Technical view
For SOC, IR, and engineering teams, validate that unnecessary features and programs are disabled or removed on control-system assets where operationally safe. Relationship context makes this especially relevant to Command-Line Interface, Scripting, External Remote Services, Exploitation of Remote Services, Device Restart/Shutdown, Adversary-in-the-Middle, Replication Through Removable Media, and Commonly Used Port behaviors. ATT&CK provides no detection text for this mitigation, so coverage should be proven through configuration state, asset inventory, access paths, and change-control evidence rather than assumed from alerts.
Likely telemetry
- Authoritative ICS asset and software inventory
- Configuration baselines showing enabled services, installed programs, and disabled features
- Remote access gateway, VPN, Citrix, or similar external remote service logs where present
- Authentication and authorization records for administrative access to systems and interfaces
- Network flow or firewall records showing exposed services and commonly used ports
Detection direction
- Because official detection guidance is not provided, treat this as a control validation problem: compare approved baselines against actual enabled services, installed software, remote access paths, and exposed interfaces.
- Tune monitoring around deviations from least-functionality baselines, such as newly enabled remote services, unexpected scripting tools, new administrative utilities, or unauthorized software installation.
- Use relationship context to prioritize visibility for CLI and scripting usage, external remote service access, service exposure on common ports, restart/shutdown functions, and removable media pathways.
- Account for false positives from maintenance, vendor support, and engineering changes by requiring approved change records and operational owner validation.
- Identify blind spots where ICS assets cannot report endpoint telemetry; compensate with configuration reviews, network observations, access gateway logs, and manual engineering evidence.
Mitigation priorities
- Start with an operationally approved inventory of required software, services, interfaces, and features for each control-system role.
- Remove or disable software and features that are not required, especially those enabling remote access, command execution, scripting, removable media use, or unnecessary network services.
- Deny access to features that cannot be removed but are not broadly needed, using role-based permissions and administrative approval where applicable.
- Establish exception handling for vendor support and safety-critical operations, including documented business justification and review dates.
- Continuously verify configuration drift through change management, periodic reviews, and evidence suitable for IEC 62443 and NIST CM-7-aligned compliance needs.
Analyst notes and limits
This is a mitigation object, not a technique. Its value comes from reducing available functionality that related ICS techniques may abuse. The supplied ATT&CK data does not specify platforms or tactics, so implementation must be mapped to the local control-system architecture and safety requirements.
Official detection content is not provided, and related technique descriptions are partial in the supplied relationship context. No claim is made about active exploitation, specific vendors, affected platforms, or guaranteed detection coverage. Local asset inventory, engineering constraints, and approved operating procedures are required to apply this safely.
Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0866 | Exploitation of Remote Services | Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation. |
| ICS | T0853 | Scripting | Consider removal or disabling of programs and features which may be used to run malicious scripts (e.g., scripting language IDEs, PowerShell, visual studio). |
| ICS | T0807 | Command-Line Interface | Consider removing or restricting features that are unnecessary to an asset's intended function within the control environment. |
| ICS | T0816 | Device Restart/Shutdown | Ensure remote commands that enable device shutdown are disabled if they are not necessary. Examples include DNP3's 0x0D function code or unnecessary device management functions. |
| ICS | T0822 | External Remote Services | Consider removal of remote services which are not regularly in use, or only enabling them when required (e.g., vendor remote access). Ensure all external remote access point (e.g., jump boxes, VPN concentrator) are configured with least functionality, especially the removal of unnecessary services. CitationDepartment of Homeland Security September 2016 |
| ICS | T0885 | Commonly Used Port | Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation. |
| ICS | T0830 | Adversary-in-the-Middle | Disable unnecessary legacy network protocols that may be used for AiTM if applicable. |
| ICS | T0847 | Replication Through Removable Media | Consider the disabling of features such as AutoRun. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 915bafd9cb42… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M0942Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.