M1028: Operating System Configuration
Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:
Disable Unused Features:
- Turn off SMBv1, LLMNR, and NetBIOS where not needed. - Disable remote registry and unnecessary services.
Enforce OS-level Protections:
- Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows. - Use AppArmor or SELinux on Linux for mandatory access controls.
Secure Access Settings:
- Enable User Account Control (UAC) for Windows. - Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.
File System Hardening:
- Implement least-privilege access for critical files and system directories. - Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).
Secure Remote Access:
- Restrict RDP, SSH, and VNC to authorized IPs using firewall rules. - Enable NLA for RDP and enforce strong password/lockout policies.
Harden Boot Configurations:
- Enable Secure Boot and enforce UEFI/BIOS password protection. - Use BitLocker or LUKS to encrypt boot drives.
Regular Audits:
- Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.
*Tools for Implementation*
Windows:
- Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings. - Windows Defender Exploit Guard: Built-in OS protection against exploits. - CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.
Linux/macOS:
- AppArmor/SELinux: Enforce mandatory access controls. - Lynis: Perform comprehensive security audits. - SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.
Cross-Platform:
- Ansible or Chef/Puppet: Automate configuration hardening at scale. - OpenSCAP: Perform compliance and configuration checks.
Analyst context for executives and security teams
Operating System Configuration is a broad hardening mitigation: reduce what the OS exposes by disabling unnecessary features, enforcing built-in protections, tightening access and file permissions, securing remote access, hardening boot settings, and auditing configuration drift. For leaders, its value is not a single control but a repeatable baseline that limits credential theft, lateral movement, persistence, discovery, exfiltration paths, and recovery inhibition across systems where those risks apply.
Executive priority
Treat this as a foundational resilience and audit-readiness control. The business decision is whether OS baselines are centrally defined, enforced, measured, and exception-managed across critical assets. Priority should be highest where ATT&CK relationships show material risk: credential access such as OS Credential Dumping and LSASS Memory, lateral movement over RDP, persistence through services or scheduled tasks, account manipulation or creation, and impact behaviors that inhibit system recovery.
Technical view
SOC, detection engineering, and IR teams should validate both preventive configuration and evidence of drift. ATT&CK provides no detection text for M1028, so coverage should be proven through configuration assessment and monitoring of changes to OS protections, remote access settings, service/task configuration, local and domain account controls, file permissions, boot security, encryption, and recovery-related settings. Relationship context should drive test cases: Windows credential dumping protections and LSASS exposure; SAM and cached credential settings; RDP restrictions and NLA; scheduled task and Windows service creation/modification; account creation/manipulation; network share and account discovery exposure; removable media, Bluetooth, and alternate network paths where relevant.
Likely telemetry
- Configuration baseline and compliance scan results, such as CIS Benchmark or SCAP-style assessments
- Central policy state and changes, such as Group Policy or equivalent configuration management records
- OS security protection status, including DEP, ASLR, CFG, AppArmor, SELinux, UAC, Secure Boot, and disk encryption where applicable
- Remote access configuration evidence for RDP, SSH, VNC, firewall restrictions, NLA, password, and lockout policies
- Service, scheduled task/job, BITS job, and startup configuration change logs
Detection direction
- Do not treat this mitigation as detected simply because a hardening standard exists; validate current endpoint and server state against approved baselines.
- Tune monitoring for configuration drift and high-risk changes: enabling legacy or unused services, weakening remote access controls, changing service or scheduled task definitions, modifying account privileges, and altering recovery or boot protections.
- Use relationship-driven validation: confirm controls and logs are sufficient for techniques such as OS Credential Dumping, RDP lateral movement, Scheduled Task/Job abuse, Create or Modify System Process, Account Manipulation, Create Account, and Inhibit System Recovery.
- Account for false positives from administrators, software deployment, patching, and approved automation by requiring change-management context and asset criticality.
- Identify blind spots where configuration tools do not cover unmanaged hosts, non-domain systems, Linux/macOS endpoints, cloud or container-hosted workloads, ESXi, network devices, or offline systems.
Mitigation priorities
- Define an approved OS configuration baseline for each relevant system class and map exceptions to business owners and compensating controls.
- Disable unused OS features and unnecessary services, including legacy name-resolution or file-sharing components where not needed.
- Enforce OS-level protections and mandatory access controls where supported by the operating system.
- Restrict privileged access, root/sudo usage, local administrator membership, and sensitive file or directory permissions.
- Harden remote access by limiting RDP, SSH, and VNC exposure to authorized sources and enforcing strong authentication-related settings described in policy.
Analyst notes and limits
M1028 is a mitigation object, not a detection analytic. Its importance comes from its breadth: the supplied relationships connect OS hardening to credential access, discovery, persistence, privilege escalation, lateral movement, exfiltration, command and control, and impact techniques. Glexia would use this as a control-validation anchor for managed detection onboarding, IR readiness reviews, identity hardening, compliance evidence, and vulnerability-management prioritization.
The ATT&CK object does not specify platforms or tactics for the mitigation itself and provides no official detection guidance. Platform references in this take come from the official description and related techniques. Local asset inventory, configuration baselines, business criticality, and change records are required to determine actual coverage and risk reduction.
Operating System Configuration
Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:
Disable Unused Features:
- Turn off SMBv1, LLMNR, and NetBIOS where not needed. - Disable remote registry and unnecessary services.
Enforce OS-level Protections:
- Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows. - Use AppArmor or SELinux on Linux for mandatory access controls.
Secure Access Settings:
- Enable User Account Control (UAC) for Windows. - Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.
File System Hardening:
- Implement least-privilege access for critical files and system directories. - Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).
Secure Remote Access:
- Restrict RDP, SSH, and VNC to authorized IPs using firewall rules. - Enable NLA for RDP and enforce strong password/lockout policies.
Harden Boot Configurations:
- Enable Secure Boot and enforce UEFI/BIOS password protection. - Use BitLocker or LUKS to encrypt boot drives.
Regular Audits:
- Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.
*Tools for Implementation*
Windows:
- Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings. - Windows Defender Exploit Guard: Built-in OS protection against exploits. - CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.
Linux/macOS:
- AppArmor/SELinux: Enforce mandatory access controls. - Lynis: Perform comprehensive security audits. - SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.
Cross-Platform:
- Ansible or Chef/Puppet: Automate configuration hardening at scale. - OpenSCAP: Perform compliance and configuration checks.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1574.006 | Dynamic Linker Hijacking Sub-technique | When System Integrity Protection (SIP) is enabled in macOS, the aforementioned environment variables are ignored when executing protected binaries. Third-party applications can also leverage Apple’s Hardened Runtime, ensuring these environment variables are subject to imposed restrictions.CitationApple Developer Doco Hardened Runtime Admins can add restrictions to applications by setting the setuid and/or setgid bits, use entitlements, or have a __RESTRICT segment in the Mach-O binary. |
| Enterprise | T1087.001 | Local Account Sub-technique | Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at |
| Enterprise | T1553 | Subvert Trust Controls | Windows Group Policy can be used to manage root certificates and the |
| Enterprise | T1053.002 | At Sub-technique | Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at |
| Enterprise | T1543.003 | Windows Service Sub-technique | Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed. |
| Enterprise | T1548.001 | Setuid and Setgid Sub-technique | Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system. |
| Enterprise | T1542.005 | TFTP Boot Sub-technique | Follow vendor device hardening best practices to disable unnecessary and unused features and services, avoid using default configurations and passwords, and introduce logging and auditing for detection. |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.CitationWindows RDP Sessions |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Consider disabling or restricting NTLM.CitationMicrosoft Disable NTLM Nov 2012 Consider disabling WDigest authentication.CitationMicrosoft WDigest Mit |
| Enterprise | T1552 | Unsecured Credentials | There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands: |
| Enterprise | T1548 | Abuse Elevation Control Mechanism | Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system. Ensuring that the sudo tty_tickets setting is enabled will prevent this leakage across tty sessions. |
| Enterprise | T1197 | BITS Jobs | Consider reducing the default BITS job lifetime in Group Policy or by editing the |
| Enterprise | T1563.002 | RDP Hijacking Sub-technique | Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server.CitationWindows RDP Sessions |
| Enterprise | T1543 | Create or Modify System Process | Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed. |
| Enterprise | T1087 | Account Discovery | Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located |
| Enterprise | T1053 | Scheduled Task/Job | Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at |
| Enterprise | T1136 | Create Account | Protect domain controllers by ensuring proper security configuration for critical servers. |
| Enterprise | T1011 | Exfiltration Over Other Network Medium | Prevent the creation of new network adapters where possible.CitationMicrosoft GPO Bluetooth FEB 2009CitationTechRepublic Wireless GPO FEB 2009 |
| Enterprise | T1556.002 | Password Filter DLL Sub-technique | Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages. |
| Enterprise | T1087.002 | Domain Account Sub-technique | Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located at |
| Enterprise | T1003.005 | Cached Domain Credentials Sub-technique | Consider limiting the number of cached credentials (HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscountvalue)CitationTilbury Windows Credentials |
| Enterprise | T1564.002 | Hidden Users Sub-technique | If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the |
| Enterprise | T1552.003 | Shell History Sub-technique | There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands: In Zsh, `fc -p` can be used to create a private history session. However, previous history will be unavailable to the user until the session ends. Using `unset HISTFILE` and writing commands to `/dev/null` can also be used, similarly to Bash. In PowerShell, users can utilize `Set-PSReadLineOption` to modify how commands are saved into history. Setting `-HistorySaveStyle SaveNothing` prevents command history from being saved onto the file. Note that setting it from `SaveNothing` to `SaveIncrementally` in the same session will cause all commands from that session to be saved. Alternatively, `-AddToHistoryHandler` can be used to filter certain commands from being saved into the history file. |
| Enterprise | T1135 | Network Share Discovery | Enable Windows Group Policy “Do Not Allow Anonymous Enumeration of SAM Accounts and Shares” security setting to limit users who can enumerate network shares.CitationWindows Anonymous Enumeration of SAM Accounts |
| Enterprise | T1553.004 | Install Root Certificate Sub-technique | Windows Group Policy can be used to manage root certificates and the |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | Consider disabling or restricting NTLM.CitationMicrosoft Disable NTLM Nov 2012 |
| Enterprise | T1548.003 | Sudo and Sudo Caching Sub-technique | Ensuring that the |
| Enterprise | T1136.002 | Domain Account Sub-technique | Protect domain controllers by ensuring proper security configuration for critical servers. |
| Enterprise | T1092 | Communication Through Removable Media | Disallow or restrict removable media at an organizational policy level if they are not required for business operations.CitationTechNet Removable Media Control |
| Enterprise | T1490 | Inhibit System Recovery | Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. Additionally, ensure that WinRE is enabled using the following command: |
| Enterprise | T1011.001 | Exfiltration Over Bluetooth Sub-technique | Prevent the creation of new network adapters where possible. |
| Enterprise | T1036.007 | Double File Extension Sub-technique | Disable the default to “hide file extensions for known file types” in Windows OS.CitationSeqrite DoubleExtensionCitationHowToGeek ShowExtension |
| Enterprise | T1546.008 | Accessibility Features Sub-technique | To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later.CitationTechNet RDP NLA |
| Enterprise | T1690 | Prevent Command History Logging | Make sure that the |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. CitationTechNet Server Operator Scheduled Task |
| Enterprise | T1556.008 | Network Provider DLL Sub-technique | Starting in Windows 11 22H2, the `EnableMPRNotifications` policy can be disabled through Group Policy or through a configuration service provider to prevent Winlogon from sending credentials to network providers.CitationEnableMPRNotifications |
| Enterprise | T1556 | Modify Authentication Process | Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (`C:\Windows\System32\` by default) of a domain controller and/or local computer with a corresponding entry in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages`. Starting in Windows 11 22H2, the `EnableMPRNotifications` policy can be disabled through Group Policy or through a configuration service provider to prevent Winlogon from sending credentials to network providers.CitationEnableMPRNotifications |
| Enterprise | T1003 | OS Credential Dumping | Consider disabling or restricting NTLM.CitationMicrosoft Disable NTLM Nov 2012 Consider disabling WDigest authentication.CitationMicrosoft WDigest Mit |
| Enterprise | T1098 | Account Manipulation | Protect domain controllers by ensuring proper security configuration for critical servers to limit access by potentially unnecessary protocols and services, such as SMB file sharing. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | fe9ac69df71b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1028Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.