M1033: Limit Software Installation
Prevent users or groups from installing unauthorized or unapproved software to reduce the risk of introducing malicious or vulnerable applications. This can be achieved through allowlists, software restriction policies, endpoint management tools, and least privilege access principles. This mitigation can be implemented through the following measures:
Application Whitelisting
- Implement Microsoft AppLocker or Windows Defender Application Control (WDAC) to create and enforce allowlists for approved software. - Whitelist applications based on file hash, path, or digital signatures.
Restrict User Permissions
- Remove local administrator rights for all non-IT users. - Use Role-Based Access Control (RBAC) to restrict installation permissions to privileged accounts only.
Software Restriction Policies (SRP)
- Use GPO to configure SRP to deny execution of binaries from directories such as `%AppData%`, `%Temp%`, and external drives. - Restrict specific file types (`.exe`, `.bat`, `.msi`, `.js`, `.vbs`) to trusted directories only.
Endpoint Management Solutions
- Deploy tools like Microsoft Intune, SCCM, or Jamf for centralized software management. - Maintain a list of approved software, versions, and updates across the enterprise.
Monitor Software Installation Events
- Enable logging of software installation events and monitor Windows Event ID 4688 and Event ID 11707 for software installs. - Use SIEM or EDR tools to alert on attempts to install unapproved software.
Implement Software Inventory Management
- Use tools like OSQuery or Wazuh to scan for unauthorized software on endpoints and servers. - Conduct regular audits to detect and remove unapproved software.
*Tools for Implementation*
Application Whitelisting:
- Microsoft AppLocker - Windows Defender Application Control (WDAC)
Endpoint Management:
- Microsoft Intune - SCCM (System Center Configuration Manager) - Jamf Pro (macOS) - Puppet or Ansible for automation
Software Restriction Policies:
- Group Policy Object (GPO) - Microsoft Software Restriction Policies (SRP)
Monitoring and Logging:
- Splunk - OSQuery - Wazuh (open-source SIEM and XDR) - EDRs
Inventory Management and Auditing:
- OSQuery - Wazuh
Analyst context for executives and security teams
Limit Software Installation is a preventative control that reduces the chance that users introduce malicious, unapproved, or vulnerable applications into the environment. Its business value is less about blocking one specific attack and more about reducing unmanaged software risk across execution, persistence, lateral movement, and supply-chain-related behaviors referenced by ATT&CK relationships.
Executive priority
Treat this as a governance and resilience control: leaders should know who can install software, how exceptions are approved, whether local administrator rights are minimized, and whether software inventory is audit-ready. Priority is highest where unmanaged endpoints, developer workstations, software deployment tools, browser or IDE extensions, and remote-control tools could affect business continuity or compliance evidence.
Technical view
SOC, endpoint, IAM, and infrastructure teams should validate that installation rights are restricted through least privilege, RBAC, allowlists, software restriction policies, endpoint management, and inventory controls. The relationship set shows relevance to execution via command and scripting interpreters, user execution, malicious libraries, software deployment tools, VNC-related lateral movement, software extensions, service/autostart persistence, and hidden artifacts. Because ATT&CK provides no separate detection text for this mitigation, detection engineering should focus on measuring policy enforcement, blocked install attempts, new software appearance, and unauthorized execution from user-writable or removable locations.
Likely telemetry
- Software installation events, including Windows Event ID 11707 where applicable
- Process creation telemetry, including Windows Event ID 4688 where applicable
- Endpoint management inventory of approved software, versions, and updates
- Application control or allowlist allow/deny decisions
- Software restriction policy or GPO enforcement events
Detection direction
- Confirm logging exists before relying on alerts; the official object lists monitoring examples but provides no formal ATT&CK detection logic.
- Tune for unauthorized installs, new software not in the approved inventory, and execution from locations such as AppData, Temp, trusted-directory exceptions, or external drives where policy allows visibility.
- Correlate blocked or allowed installs with user privilege level, endpoint role, and approval records to separate legitimate IT activity from policy drift.
- Pay special attention to software deployment tools and centralized management platforms because the related ATT&CK context includes abuse of these tools for execution and lateral movement.
- Include extension and developer-tool ecosystems in scope where relevant; browser extensions, IDE extensions, libraries, and development tools are explicitly represented in the related techniques.
Mitigation priorities
- Start with least privilege: remove local administrator rights from non-IT users and restrict installation permissions to approved privileged roles.
- Define and maintain an approved software inventory, including versions and update sources.
- Implement allowlisting or software restriction policies using hashes, paths, or digital signatures where operationally feasible.
- Restrict execution of risky file types and binaries from user-writable or removable locations as described in the official mitigation text.
- Centralize deployment and software lifecycle management through endpoint management solutions, with controlled exceptions and change records.
Analyst notes and limits
This mitigation is broad and preventive. It is most useful when translated into measurable control questions: who can install, what can run, where software may execute from, how exceptions are approved, and whether inventory matches reality. Relationship context makes it relevant to execution, persistence, lateral movement, initial access, privilege escalation, and stealth behaviors, but local architecture determines which areas matter most.
The supplied ATT&CK object has no platforms, tactics, or official detection section for the mitigation itself. Platform references come from the official description examples and related techniques, not from a mitigation platform field. Effectiveness depends on local endpoint coverage, identity model, exception handling, software inventory quality, and enforcement mode.
Limit Software Installation
Prevent users or groups from installing unauthorized or unapproved software to reduce the risk of introducing malicious or vulnerable applications. This can be achieved through allowlists, software restriction policies, endpoint management tools, and least privilege access principles. This mitigation can be implemented through the following measures:
Application Whitelisting
- Implement Microsoft AppLocker or Windows Defender Application Control (WDAC) to create and enforce allowlists for approved software. - Whitelist applications based on file hash, path, or digital signatures.
Restrict User Permissions
- Remove local administrator rights for all non-IT users. - Use Role-Based Access Control (RBAC) to restrict installation permissions to privileged accounts only.
Software Restriction Policies (SRP)
- Use GPO to configure SRP to deny execution of binaries from directories such as `%AppData%`, `%Temp%`, and external drives. - Restrict specific file types (`.exe`, `.bat`, `.msi`, `.js`, `.vbs`) to trusted directories only.
Endpoint Management Solutions
- Deploy tools like Microsoft Intune, SCCM, or Jamf for centralized software management. - Maintain a list of approved software, versions, and updates across the enterprise.
Monitor Software Installation Events
- Enable logging of software installation events and monitor Windows Event ID 4688 and Event ID 11707 for software installs. - Use SIEM or EDR tools to alert on attempts to install unapproved software.
Implement Software Inventory Management
- Use tools like OSQuery or Wazuh to scan for unauthorized software on endpoints and servers. - Conduct regular audits to detect and remove unapproved software.
*Tools for Implementation*
Application Whitelisting:
- Microsoft AppLocker - Windows Defender Application Control (WDAC)
Endpoint Management:
- Microsoft Intune - SCCM (System Center Configuration Manager) - Jamf Pro (macOS) - Puppet or Ansible for automation
Software Restriction Policies:
- Group Policy Object (GPO) - Microsoft Software Restriction Policies (SRP)
Monitoring and Logging:
- Splunk - OSQuery - Wazuh (open-source SIEM and XDR) - EDRs
Inventory Management and Auditing:
- OSQuery - Wazuh
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1176.001 | Browser Extensions Sub-technique | Only install browser extensions from trusted sources that can be verified. Browser extensions for some browsers can be controlled through Group Policy. Change settings to prevent the browser from installing extensions without sufficient permissions. |
| Enterprise | T1204.005 | Malicious Library Sub-technique | Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones. |
| Enterprise | T1195.001 | Compromise Software Dependencies and Development Tools Sub-technique | Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones.CitationCider Security Top 10 CICD Security Risks |
| Enterprise | T1059 | Command and Scripting Interpreter | Prevent user installation of unrequired command and scripting interpreters. |
| Enterprise | T1564 | Hide Artifacts | Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it. |
| Enterprise | T1059.011 | Lua Sub-technique | Prevent users from installing Lua where not required. |
| Enterprise | T1176 | Software Extensions | Only install extensions from trusted sources that can be verified. |
| Enterprise | T1543 | Create or Modify System Process | Restrict software installation to trusted repositories only and be cautious of orphaned software packages. |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it. |
| Enterprise | T1072 | Software Deployment Tools | Restrict the use of third-party software suites installed within an enterprise network. |
| Enterprise | T1547.013 | XDG Autostart Entries Sub-technique | Restrict software installation to trusted repositories only and be cautious of orphaned software packages. |
| Enterprise | T1176.002 | IDE Extensions Sub-technique | Only install IDE extensions from trusted sources that can be verified. |
| Enterprise | T1059.006 | Python Sub-technique | Prevent users from installing Python where not required. |
| Enterprise | T1204 | User Execution | Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones. |
| Enterprise | T1195 | Supply Chain Compromise | Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones.CitationCider Security Top 10 CICD Security Risks |
| Enterprise | T1543.002 | Systemd Service Sub-technique | Restrict software installation to trusted repositories only and be cautious of orphaned software packages. |
| Enterprise | T1021.005 | VNC Sub-technique | Restrict software installation to user groups that require it. A VNC server must be manually installed by the user or adversary. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 2659a7de3094… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1033Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.